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Abstract - We have designed a new class of public key algorithms based on quasigroup string trans- 
formations using a specific class of quasigroups called multivariate quadratic quasigroups (MQQ). Our 
public key algorithm is a bijective mapping, it does not perform message expansions and can be used 
both for encryption and signatures. The public key consist of n quadratic polynomials with n variables 
where n = 140, 160, .... A particular characteristic of our public key algorithm is that it is very fast and 
■ highly parallelizable. More concretely, it has the speed of a typical modern symmetric block cipher - the 

I reason for the phrase "A Public Key Block Cipher" in the title of this paper. Namely the reference C 

^ ■ code for the 160-bit variant of the algorithm performs decryption in less than 11,000 cycles (on Intel 

Q I Core 2 Duo - using only one processor core), and around 6,000 cycles using two CPU cores and OpenMP 

'— 2.0 library. However, implemented in Xilinx Virtex-5 FPGA that is running on 249.4 MHz it achieves 
^ I decryption throughput of 399 Mbps, and implemented on four Xilinx Virtex-5 chips that are running on 

^ i 276.7 MHz it achieves encryption throughput of 44.27 Gbps. Compared to fastest RSA implementations 

t*^ — ' on similar FPGA platforms, MQQ algorithm is more than 10,000 times faster. 

^ : 

I Keywords - Public Key Cryptosystems, Fast signature generation. Multivariate Quadratic Polyno- 

. mials, Quasigroup String Transformations, Multivariate Quadratic Quasigroup 
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59 ■ 1 Introduction 

O ■ 

_ ^ ' The public key paradigm initially described in the seminal paper of Difhe and Hellman [9] , have completely 

, changed and re-shaped modern cryptography. The fruits of that change are noticeable now, 30 years 

}^ ' after, with the boom of the Internet, digital telecommunications, the convergence of information and 

5^ \ communication technologies and the onset of the modern e-society. Most of the security protocols in 

these fields in one way or the other use the Public Key paradigm. 

The most popular Public Key Cryptosystem (PKC) schemes are the Diffie and Hellman (DH) key 
exchange scheme based on the hardness of discrete logarithm problem [3], the Rivest, Shamir and Adleman 
(RSA) scheme based on the difficulty of integer factorization [1^, and the Koblitz and Miller (ECC - 
Elliptic Curve Cryptography) scheme based on the discrete logarithm problem in an additive group of 
points defined by elliptic curves over finite fields [26131] . There are two common characteristics of these 
well known PKCs (DH, RSA and ECC): 1. their speed - which frequently is a thousand times lower than 
the symmetric cryptographic schemes, 2. their security - which relies on one of two hard mathematical 
problems: efficient computation of discrete logarithms and factorization of integers. 

Several other ideas have been proposed during the last 30 years, such as McEliece PKC based on error 
correcting codes [30], Rabin's digital signature method [39 , PKCs based on lattice reduction problems 
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[1118 ' and on lattice problems over rings such as NTRU [H] , PKCs based on braid groups [2S] and PKCs 
based on Multivariate Quadratic (MQ) polynomials. 

The main spiritus movens for proposing new PKCs is the following wide-spread cryptographic folklore 
wisdom: "it is not wise to keep all the eggs in one basket". However, from the performance point of view, 
there is always another practical motivation: "to design secure public key crypto systems that has better 
speed performance ". 

1.1 Public key schemes based on MQ polynomials 

There are 4 basic trapdoor functions that are based on multivariate quadratic polynomials. An excellent 
survey for those four classes of multivariate quadratic public key cryptosystems has been made by Wolf 
and Preneel in |47| . Here we give a brief summary. 

The first MQ scheme called MIA is that of Matsumoto and Imai 22J from 1985. That scheme was 
broken in 1995 by Patarin [33] . 

The second MQ scheme called STS (Stepwise Triangular Scheme) was first introduced in 1993 by 
Shamir 41j in the variant called Birational Permutation Schemes and was successfully broken by Cop- 
persmith, Stern and Vaudenay in the same year 6 . In 1999 a MQ scheme which is a variant of STS 
called TTM was proposed by Moh [3Z. That scheme was broken in 2000 by Goubin and Courtois [TO] . 
They generalized the STS into the scheme TPM (Triangle Plus Minus) for which the TTM of Moh is a 
special case. The whole STS class has been broken by Wolf, Braeken and Preneel in 2004 [33]. 

The third MQ scheme called HFE (Hidden Field Equations) was designed by Patarin j34|35j in 1996. 
It is a sort of generalization of the MIA scheme. Basic HFE was broken by solving instances of the 
MinRank problem, by Kipnis and Shamir 24J in 1999. Several modifications of the scheme have been 
proposed [45] but also several new successful attacks have been published 46 48]. 

The forth scheme called UOV (Unbalanced Oil and Vinegar) was proposed in 1999 by Kipnis, Patarin, 
and Goubin [23] and is a generalization of the original Oil and Vinegar scheme of Patarin [36] from 
1997. Some basic variants of UOV have been successfully broken in 4 48 . The main design fiaw of this 
scheme is the fact that one set of variables (vinegar variables) are combined quadratically, but the other 
complementary set of variables (oil variables) are combined with only vinegar variables in a quadratic way. 
This design characteristic was the source of some successful attacks on this scheme. Also, this algorithm 
can only be used for signature schemes. However, for some carefully chosen parameters the scheme is 
considered still not broken. 

Wolf and Preneel [37] have also indicated numerous ways how to tweak all those MQ systems. 

1.2 Our results 

We have designed a new class of MQ trapdoor functions. The generation of our trapdoor functions is 
based on the theory of quasigroups and quasigroup string transformations. In Section [2] we give a brief 
introduction to quasigroups and quasigroup string transformations. In the same section we define a new 
special class of so called Multivariate Quadratic Quasigroups (MQQ). In Section[3]we describe a public- 
key cryptosystem based on MQQs. Its operating characteristics are given in Section |31 We discuss the 
security of our PKC in Section [5] Conclusions are given in Section [6] 
The results about our PKC can be briefiy summarized as: 

• it is a deterministic one-to-one mapping; 

• there is no message expansion; 

• it has one parameter n (= 140, 160, 180, 200 . . .) - the bit length of the encrypted block; 

• its conjectured security level when n > 140 bits is 2t; 

• its encryption speed is comparable to the speed of other multivariate quadratic PKCs; 

• its decryption/signature speed is as a typical symmetric block cipher (i.e., in the range of 500-1000 
times faster than the most popular public key schemes); 

• it is well suited for short signatures. 



2 Preliminaries 



In this section we will briefly introduce quasigroup string transformations in 12.11 representation of the 
quasigroups as vector valued Boolean functions in l2.21 we will discuss the class of multivariate quadratic 
quasigroups in l2.3i and the bijection of Dobbertin in 12.41 



2.1 Quasigroup string transformations 

Here we give a brief overview of quasigroups and quasigroup string transformations. A more detailed 
explanation is found in |3I8I28I29I42] . 

Definition 1. A quasigroup (Q,*) is a groupoid satisfying the law 

{\fu,v ^ Q){3lx,y G Q) u*x — vk,y*u = v. (1) 

It follows from ([1]) that for each a,b G Q there is a unique x G Q such that a*x — b. Then we denote 
X — a\^ b where \* is a binary operation in Q (called a left parastrophe of *) and the groupoid (Q, \,) 
is a quasigroup too. The algebra {Q, *, \*) satisfies the identities 



x\*{x*y)^y, x*{x\^y)=y. 



(2) 



Consider an alphabet (i.e., a finite set) Q, and denote by the set of all nonempty words (i.e., 
finite strings) formed by the elements of Q. In this paper, depending on the context, we will use two 
notifications for the elements of Q^: 0102 . . . a„ and (oi, 02, ... , a„), where G Q. Let * be a quasigroup 
operation on the set Q. For each I G Q we define two functions e; „, : —^ as follows: 



a„. Then 

bn-i * an, 



Definition 2. Let ai G Q, M = 0102 

ei,,(M) = 6162 ■ • • K 

hi=l* ai, 62 = &i * 02, ■ 
di^^{M) = C1C2 . . . c„ 

Cl = l*ai, C2 = fli * 02, . . . , c„ = a„_i =1= a„, 
i.e., = hi * Oi+i and q+i = * a^+i /or eac/i i = 0, 1, . . . , n — 1, where bo = oq = I. 

The functions e;^* and d;., arc called the e-transformation and the d-transformation of based 
on the operation * with leader / respectively. Graphical representations of e-transformation and d- 
transformation are shown in Fig. [TJ 
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Fig. 1. Graphical representations of the e; and di^^ transformations 



Theorem 1. If{Q,*) is a finite quasigroup, then e;^* and di \^ are mutually inverse permutations of 
Q+, i.e., 

di^\,{eL4M)) = M = ei,,{di^\,{M)) 
for each leader I G Q and for every string M G . I 



2.2 Quasigroups as vector valued Boolean functions 



To define a multivariate quadratic PKC for our purpose, we will use the presentation of finite quasigroups 
(Q,*) of order 2'^ by vector valued Boolean functions (v.v.b.f.). Consequently, we choose a bijection 
(3 : Q ^ {0,1, . . . ,2'^ — 1} and represent a G Q by the d-bit representation (3{a). Hence, for each a G Q 
there are uniquely determined bits xi,X2, ■ ■ ■ ,Xd £ {0, 1} (which depend on the choice of the bijection /3) 
such that a is represented by the string xiX2 ■ ■ ■ Xd- Then we identify a and its d-bit representation and 
write a = xiX2 ■ ■ - Xd or, sometimes, a = {xi,X2, ■ ■ ■ , Xd). Now, the binary operation * on Q can be seen 
as a vector valued operation : {0, 1}^'' {0, 1}'' defined as: 

a*b — c 

*vv{xi,X2, ■ ■ ■ ,xd,yi,y2, ■ ■ ■,yd) ^ {zi,z2, ■ ■ ■ ,zd), 
where Xi . . . Xd, yi ■ ■ ■ yd, zi . . . Zd are binary representations of a, b, c respectively. 

Each Zi depends of the bits xi,X2, ■ ■ ■ , Xd, yi,y2, ■ ■ ■ ,yd and is uniquely determined by them. So, each Zi 
can be seen as a 2(i-ary Boolean function Zi = fi{xi, X2, ■ ■ ■ , Xd, yi,y2, ■ ■ ■ , yd), where fi : {0, 1}^'* — » {0, 1} 
strictly depends on, and is uniquely determined by, *. Thus, we have the following: 

Lemma 1. For every quasigroup [Q, *) of order 2'^ and for each bijection Q — » {0, 1 . . . , 2^^ — 1} there 
are a uniquely determined v.v.b.f. >i!„^ and d uniquely determined 2d-ary Boolean functions fi, f2, ■ ■ ■ , fd 
such that for each a, 6, c G Q 

a*b^c<^=> *yy{xi,...,Xd,yi,...,yd) = 
= (/i(xi, . . . , xd,yi, . . . , yd), ■-, fd{xi, ...,xd,yi,.. ■,yd))- ■ 

Recall that each fc-ary Boolean function f{xi, . . . ,Xk) can be represented in a unique way by its 
algebraic normal form (ANF), i.e., as a sum of products 

k 

ANF{f) = ao + ^ aiXi + ^ aijXiXj + ^ aij^sXiXjXs + . . . , (3) 

1=1 i<i<j<k l<i<j<s<k 

where the coefficients ao, ai, on^j, . . . are in the set {0, 1} and the addition and multiplication are in the 
field GF[2). In the rest of the text we will abuse the notation and identify the Boolean function / and its 
ANF, i.e., we will take / — ANF{f). We say a polynomial f{xi, . . . , Xk) when we consider the arguments 
of / to be indeterminate variables xi, X2, ■ ■ ■ , Xk. 

The ANFs of the functions fi give us information about the complexity of the quasigroup (Q, *) via 
the degrees of the Boolean functions fi. It can be observed that the degrees of the polynomials ANF{fi) 
rise with the order of the quasigroup. In general, for a randomly generated quasigroup of order 2'^, d> A, 
the degrees are higher than 2. Such quasigroups are not suitable for our construction of multivariate 
quadratic PKC. 

2.3 Multivariate Quadratic Quasigroups 

In this subsection we define a special class of quasigroups, called multivariate quadratic quasigroups 
(MQQs) that can be of different types. 

Definition 3. A quasigroup (Q, *) of order 2'^ is called Multivariate Quadratic Quasigroup (MQQ) of 
type Quadd-kLiuk if exactly d — k of the polynomials fi are of degree 2 (i.e., are quadratic) and k of 
them are of degree 1 (i.e., are linear), where < k < d. 

Theorem [5] below gives us sufficient conditions for a quasigroup {Q,*) to be MQQ. 

Theorem 2. Let Ai = [fij]dxd and A2 = [gij\dxd be two dx d matrices of linear Boolean expressions, 
and let bi = [uijdxi cind b2 — [vi]dxi be two d x 1 vectors of linear or quadratic Boolean expressions. 



Let the functions fij and Ui depend only on variables a;i, . . . ^Xd, and let the functions gij and Vi depend 
only on variables Xd+i, ■ • ■ , X2d- If 

Det(Ai) = Det(A2) = 1 in GF{2) (4) 

and if 

Ai • {xd+i, X2d)'^ + bi = A2 • (xi, . . . , Xd)'^ + b2 (5) 

then the vector valued operation *vv{xi, ■ ■ ■ , X2d) — Ai • (x^+i, • ■ • , X2dY' + bi defines a quasigroup {Q, *) 
of order 2'^ that is MQQ. 

Proof. Consider the equation 

*vviai, ■ ■ ■ ,ad,Xd+i, ■ ■ ■ ,X2d) = (ci, ■ • ■ ,q) 

where Xd+i, ■ ■ ■ , X2d are unknown bits, while a^, Ci are given bits. We have the hnear system in GF{2) of 
kind 

A'l • {xd+i, . . . ,X2d)^ + b'l = (ci, . . ■,Cd)'^ J (6) 

where A'j^ and h'^ are the valuations of Ai and bi over the vector (ai, . . . , arf). Since Det(Ai) = 1, 
it follows that Det(A']^) = 1 too, so the linear system ([6]) has a unique solution {xd+i, ■ ■ ■ ,X2d)^ — 
(A']^)~^ • ((ci, . . . , CdY" ~ b']^). In the same manner a unique solution of the equation 

*vv{xi, ■ ■ ■ ,Xd,ad+i, ■ ■ ■ ,a2d) = (ci, ■ ■ ■ ,Cd) 

can be found, and *„„ is a v.v.b.f. of a quasigroup operation * on the set Q = {0, 1, . . . , 2** — 1}. The 
quasigroup {Q, *) is MQQ since the vector Ai • {xd+i, ■ ■ ■ , X2d)^ has as elements multivariate quadratic 
polynomials. 

Example 1. Let the quasigroup (Q, *) of order 2^ = 8 be given by the multiplication scheme in Table [2 
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Table 1. A quasigroup (Q, *) and its left parastrophe (Q, \) of order 8. 



The corresponding ANF representation of the operation * as a vector valued Boolean function is the 
following: 

*vv{xi,X2,X:!„Xi,X5,XQ) = (/l,/2,/3), 

where 

fi=xi+x-i+ X1X4 + X2X4 + X3X4 + a;5 + X1X5 + X2X5 + X3X5 + xiXq + X2Xq + x^x^, 

f2 = I + X2 + x-i + Xi + X1X4 + X2X4 + X3X4 + xi + X5 + X2X5 + X3X5 + X1X6 + X2Xe + xsxe, 

/a = 1 + a;2 + X3X4 + ^5 + X3X5 + xq + xixq + X2Xe + X3Xe- 

The corresponding matrix- vector representations of * by Ai, bi, and A2,b2, are the following: 



*vv{xi, X2, X3, X4, X5, xe) = Ai(a;4, xs, xe)^ + bi, 



^1 + 3=3 
1 + X2+X3 : 
1+^2 J 

*vv{xi,X2,X3,X4:,X5,xe) = A2 (a;i , a;2 , 2:3)^ + b2, 

1+^4 

1 +3=5 + _ 

Indeed in GF{2), Det(Ai) = Det(A2) = 1. 

While in this example the quasigroup (Q, *) is multivariate quadratic, its corresponding left parastro- 
phe (Q, \) is of higher degree (the degree is 3). Actually it is a typical behavior for the set of all MQQs. 
Their corresponding left parastrophes have ANF representation that has higher degree than 2. The ANF 
representation for (Q, \) in this example is the following: 

where 

gi — I + X2 + X1X3 + X2X3 + X1X4 + X2X4 + X1X3X4 + X2X3X4 + X5 + X3X5 + X1X3X5 + X2X3X5 + xiXq + 
X2Xe + X3Xe, 

92 = Xi+XiX3+X2X3+X4+XiX4+X2X4+XiX3X4+X2X3X4+X3X<^+XiX3X<i+X2X3Xf,+XiXti+X2X(i+X3XQ, 

g3 = I + xi + X2 + X3 + X4 + X1X4 + X2X4 + X1X5 + X2Xr^ + xe- 



where Ai = 



^1 + =2 + ^3 
1 + ^1+3:2+3=3 
^3 



1 + XI + X2 + X3 
XI + X2 + X3 
1 + X3 



XI + X2 + X3 
XI + X2 + X3 
1 + XI + X2 + X3 



and bi = 



where A2 



1 + X4 + X5 + a 
X4 + X5 + xg 



X4 + X5 
1 + X4 + : 
1 + = 



+ xg 



1 + X4 + X5 + 3 
1 + X4 + X5 + 3 
X4 + X5 + xg 



and b2 



By using Theorem 2 we define the procedure MQQ((i, k) for producing MQQs of order 2^* and of type 
Quadd^kLirik (see the Table[5]). 



MQQ(d,fc) 


Input: Integer d and integer k, < k < d 


Output: a quasigroup of order 2'' and of type Quada-kLint 


1. 


Randomly generate a d x d matrix Ai of linear Boolean expressions of variables x\, . . . , Xd, such 




that Det(Ai) = 1 in GF{2) and the number ^Const of constants or 1 in the matrix Ai satisfies 




the inequality kd < ^Const < {k + l)d . 


2. 


Randomly generate a d x 1 vector bi of linear Boolean expressions of variables xi, . . . , Xd- 


3. 


Compute the vector — Ai • X2 + bi, where X2 = {xd+i, ■ ■ ■ , X2d)'^ ■ 


4. 


Represent *„„ as *vv = A2 • xi + b2, where xi = {xi, . . . , Xd)^ ■ 


5. if (Det(A2) = 1 in GF{2)) and (*„„ is of type Quadd-kLiuk) 




then Return(*„„), 




else GoTo 1; 



Table 2. Heuristic algorithm for finding MQQs of order 2^ 



Note that the procedure MQQ((i, k) is a randomized algorithm for finding MQQs of order 2^^ and of 
type Quadd-kLiuk- For d = 5 the average number of attempts for finding MQQs of type Quad4Lini is 
around 2^^ and for finding MQQs of type Quad^LiuQ is around 2^^. However, MQQ(6, 0) did not give us 
any MQQ of order 2^. Finding MQQs of orders 2'^, d > 6, we consider as an open research problem. 

The definition of MQQs implies the following theorem: 

Theorem 3. Let Xi — (/i, /2, . . . , fd) cind X2 — {fd+i, fd+2, ■ • • , f2d) be two d-dimensional vectors of 
linear Boolean functions of variables Xi, . . . , Xd- Let (Q, *) be a multivariate quadratic quasigroup of type 
Quadd-kLiuk. If'K.x*n.-2 = {gi, . . . , gd) then at most d — k of the polynomials gi are multivariate quadratic 
and at least k polynomials are linear. ■ 



We want to emphasize that in a process of a random generation of MQQs of type Quadd-kLiuk, 
usuahy the number of quadratic polynomials is exactly d — k, and the number of linear polynomials is 
exactly k. However, there are rare cases when all quadratic terms can cancel each other, and the number 
of linear polynomials will be bigger than k while the number of quadratic polynomials will be less than 
d — k. Nevertheless, these cases, if they occur, can be easily detected, and quasigroups with such properties 
can be omitted from consideration as a candidates for the private key. 

2.4 The bijection of Dobbertin 

In our construction of the multivariate quadratic trapdoor bijective functions we mostly use the quasi- 
groups defined in the previous subsections with properties given in Theorem [T] and Theorem [31 However, 
by using only MQQs some of the coordinate functions will remain linear. In order to make a trapdoor 
bijective function {0,1}" {0,1}" that is multivariate quadratic in all of its coordinates we use the 
bijection of Dobbertin. 

Dobbertin has proved [H] that the function Dob(X) = X^^^'+i+X^+X is a bijection in GF{2'^'^+^). 
Moreover it is multivariate quadratic too. 

In our design of MQQ public key cryptosystem we use the bijection of Dobbertin for m = 6. 

3 Description of the algorithm 

A generic description for our scheme can be expressed as a typical multivariate quadratic system: ToP'oS : 
{0,1}" — >• {0,1}" where T and S are two nonsingular linear transformations, and P' is a bijective 
multivariate quadratic mapping on {0, 1}". 

First we will describe how the mapping P' : {0, 1}" {0, 1}" is defined by the algorithm described 
in Tabled 

For the reasons why in the "Preprocessing phase" we demand that "minimal rank of their quadratic 
polynomials when represented in matrix form is at least 8" please see the Subsection 15.41 

Additionally, note that the definition of the index set / = (11,12, ■■■ , ik-i) where ij G {1, 2, . . . , 8} can 
be either public or private. The security of the algorithm does not depend on the secrecy of that set. 

The algorithm for generating the public and private key is defined in the Table |4l We give in the 
Appendix a detailed example of the process of generating the public and private key with small number 
of variables n = 20. 

The algorithm for decryption/signing by the private key (T, 5, *i, . . . , Htg) is defined in Tabled 
The algorithm for encryption with the public key is straightforward application of the set of n multi- 
variate polynomials P = {P,;(xi, . . . , Xn) \ i — 1, ■ ■ ■ ,n} over a vector x = (xi, . . . , a;„), i.e., y — P(a;). 

4 Operating characteristics 

In this section we will discuss the size of the private and the public key as well as the number of operations 
per byte for encryption and decryption. 

4.1 The size of the public and the private key 

Since the public key consists of n multivariate quadratic equations, and they appear to be randomly 
generated, the size of the public key follows the rules given in [47] . So, for n bit blocks the size of the public 
key is n X (1 + "<"+^> ) bits. In the TableElwe give the size of the public key for n £ {140, 160, 180, 200} 
in KBytes. 

The private key of our scheme is the tuple (T, P,*i, . . . , ^g). The corresponding memory size needed 
for storage of T and P is 2n^ bits. The memory size for the quasigroups . . . , ^g), (actually for their 
parastrophes), is 8 x 32 x 32 x 5 = 40960 bits. For the storage of particular quasigroups in memory we note 



PM 

Input: Integer n, where n = 5k, k > 28, and a vector x = (/i, . . . , fn) of n linear Boolean functions of n variables. 
Output: Eight quasigroups *i, . . . , *g and n multivariate quadratic polynomials P/(a;i, . . . , Xn),i = 1, . . . ,n 

Preprocessing phase 

By calling the procedure MQQ(4,1) and MQQ(5,0) generate two large sets Quad4Lini and QuadsLino 
(with more than 2'^" elements each) of MQQs of type QuadnLini and of type QuadsLino such that 
the minimal rank of their quadratic polynomials when represented in matrix form is at least 8; 
Transform (by permuting the coordinates) all quasigroups in the set Quad4Lini such that 

their first coordinate is linear. 

1. Represent a vector x = (/i, . . . , fn) of n linear Boolean functions of n variables x\,. . . , Xn, as a string 
X = Xi . . . Xk where Xi are vectors of dimension 5; 

2. Pick randomly different quasigroups *i,*2 £ Quad4Lini and different quasigroups 
*3, *4, *5, *6, *7, *8 £ QuadsLino. 

3. Define a (fc — l)-tuple / = (ii, 12, . . . , ife-i) where ij £ {1, 2, . . . , 8}, that will used as an index 
set (sequence) to determine which quasigroup will be used in the nonlinear transformation of y. 

The requirement for this index set is that the total number of indexes that are refereing to a quasigroup 
from the class Quad4Lini is 8. 

4. Compute y = Yi . . .Yk where: Yi = Xi, Vj+i = Xj Xj+i, for j — 1,2, . . . , k — 1 

5. Set a 13-dimensional vector Z = Vil IVjii ,1 ||V)j2,i II ■ • ■ II^ms.i that has all 13 components as linear Boolean 
functions. Here the notation ,1 means the first coordinate of the vector Y^ .. 

6. Transform Z by the bijection of Dobbertin: W — Dob(^). 

7. Set Fi = iWi,W2, W3, Wi, W5), y^i,! = W^6, = W7, = Ws., y^„i = W9, = Ww, 

y^e.i = Wu, = M/12, Y-M8,i = Wvi. 

8. Output: Quasigroups *i, . . . , *8 and y as n multivariate quadratic polynomials Pl{xi, . . . ,x„), i = 1, . . . ,n. 

Table 3. Definition of the nonlinear mapping P' : {0, 1}" {0, 1}" 



Algorithm for generating Public and Private key for the MQQ scheme 
Input: Integer n, where n — 5k and k > 28. 
Output: Public key P: n multivariate quadratic polynomials Pi{xi, . . . , Xn), i = 1, . . . ,n. 
Private key: Two nonsingular Boolean matrices T and S of order n x n and eight quasigroups *i, . . . , *g 

1. Generate two nonsingular n x n Boolean matrices T and 5* (uniformly at random). 

2. Call the procedure for definition of P'{n) : {0, 1}" ^ {0, 1}" and from there also obtain the quasigroups *i, . . . , *8. 

3. Compute y = T{P'{S{x))) where x — {xi, . . . , x„). 

4. Output: The public key is y as n multivariate quadratic polynomials Pi{xi, . . . , Xn),i = 1, . . . , n, 
and the private key is the tuple {T, 5", *i , . . . , *8). 

Table 4. Algorithm for generating the public and private key 



that it is not necessary to store 32 x 32 x 5 bits for every quasigroup, since that type of the storage has 
redundancy (the last row of the Latin Square is uniquely determined by the rest of the table) , but in order 
to achieve efficient speed in the decryption process we store the full information about the parastrophes. 
In total, the size of the private key expressed in Kb is i^{2ti? + 40960). In the second column of the 
TableElwe give the size of the private key for n e {140, 160, 180, 200} in KB (kilo bytes). 

For the storage of the inverse table of the bijection of Dobbertin we need additional 2^^ x 13 = 106496 
bits which is exactly 13KB, but those 13KB do not belong to the private key. 

4.2 The number of operations for encryption and decryption 

In order to obtain an independent measure for the operating speed of our scheme, we will express the 
speed of encryption and decryption/signing as the number of operations per processed byte. We will also 
take into account three widespread microprocessor architectures: 8-bit, 32-bit and 64-bit architectures. 



Algorithm for decryption/signing with the private key (T, 5, *i, . . . , *8) 

Input: A vector y = (yi, . . . , y^). 

Output: A vector x — {xi, . . . , Xn) such that P(x) = y. 

1. Set y' ^T-^{y). ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ 

2. Set W = {y'l, y'2, y'3, yi, y'5, y'e, y'n, y'w, y'21, y'26, y'si, J/se, y'u)- 

3. Compute Z = {Zi, Z2, Z3, Z4, Z5, Ze, Z7 , Za, Zg, Zio, Zn, Zi2,Zxz) = Tio\r^{W). 

4. Set y\^ Zy, y'2 ^ ^2, ys ^ ^3, 2/4 ^ ^4, ys ^ ^5, j/e ^ ^6, y'w ^ Z-j j/Jg ^ Zg, ^21 ^ ^9, 

2/26 *" ^10, 2/31 ^ -^11 S/36 ^ ^12, 2/41 ^ -^13 ■ 

5. Represent y a& y = Y\ . . . Yk where Yi are vectors of dimension 5. 

6. By using the left parastrophes \i of the quasigroups *i, i — 1, . . . , 8, obtain x' — Xi . . . Xk, such that: 
Xi = Yi, X2 = Xi \i Y2, X3 = X2 \2 Y3 and Xi — Xi-i \3_^((i+2)mod 6) 

7. Compute x — S~^{x'). 

Table 5. Algorithm for decryption or signing 



n 


Size of the 
public key (KBytes) 


Size of the 
private key (KBytes) 


140 


168.69 


9.79 


160 


251.58 


11.25 


180 


357.96 


12.91 


200 


490.75 


14.77 



Table 6. Memory size in KBytes for the public key and the private key 



Since the public part of our scheme follows the typical paradigm of the MQ public key cryptosystems, 
its speed of encryption is the same as (or similar to) the speed of other MQ systems. That means that 
the encryption is done after 0{n^) logical AND and logical XOR operations. 

The actual speed of any multivariate quadratic PKC when encryption is performed on 32-bit or 64-bit 
microprocessor architectures, using internal parallelism of the modern CPUs, as well as techniques of bit 
slicing, can result in an encryption process which is significantly faster than RSA/DH or ECC encryption 
for systems with equivalent security levels. 

If we assume that AND or XOR operations can be executed in one cycle (without taking into account 
that modern 32-bit and 64-bit CPUs actually can perform several such operations in parallel), then non- 
optimized encryption of any general n-bit variant of any multivariate quadratic PKC scheme have a speed 
of ^ Ta^I (1 + "'V^^ ) operations per byte where Arch = 8, 32 or 64. 

The speed of decryption/signing in the class of multivariate quadratic PKCs is not so uniformly dis- 
tributed as it is for encryption. The number of operations for particular parts of the process of decryption 
of our scheme can be summarized in the following list: 

— Two linear operation by the matrices S^^ and T^^ that takes 2n\-^^~\ operations; 

— One lookup operation at the table of the bijection of Dobbertin; 

— Exactly fc — 1 lookup operations at the quasigroup parastrophes. 

The total number of operations per byte can be computed by the expression ^(2n[ ^"^^J + 1 + fc — 1) 
and are given in the Table [71 

4.3 Performance of the software and hardware implementation of the MQQ algorithm 

We have implemented the MQQ public key algorithm in C and in VHDL, and have measured its perfor- 
mance both on a PC with Intel Core 2 Duo processor in 64-bit mode of operation, as well as on a Xilinx 
FPGA. 

For comparative purposes, in Table [8] we give the speed of encryption/ verification and decryp- 
tion/signing for a basic block of data specific for several public key algorithms, performed on a PC with 





Operations per encrypted byte 


71 


Arch = 8-bit 


Arch = 32-bit 


Arch = 64-bit 


1 /in 


20306 


5640 


3384 


IDU 


25762 


6440 


3864 




33306 


8688 


4344 


200 


40202 


11257 


6432 




Operations per decrypted byte 


n 


Arch = 8-bit 


Arch = 32-bit 


Arch = 64-bit 


140 


289.65 


81.66 


49.66 


160 


321.65 


81.65 


49.65 


180 


369.64 


97.64 


49.64 


200 


401.64 


113.64 


65.64 



Table 7. Estimated operations per encrypted/decrypted byte, for different n and 8, 32 or 64 bit archi- 
tectures. 



Intel Core 2 Duo processor. The measurements for DSA, RSA, and ECDSA are taken from "cBATS: 
ECRYPT Benchmarking of Asymmetric Systems" [13] . From Table [8] one can obtain an impression that 



Algorithm name 


Encrypt 
(cycles) 


Decrypt 
(cycles) 


Sign 
(cycles) 


Verify 
(cycles) 


DSA signatures using a 
1024-bit prime 


N/A 


N/A 


1,041,400 


1,246,312 


ECDSA signatures 
using NIST B-163 
elliptic curve 


N/A 


N/A 


2,147,128 


4,220,480 


1024-bit RSA, 17 bits 
public exponent 


119,800 


2,952,752 


2,938,632 


98,712 


160-bit MQQ, one 
processor 


140,485 


10,705 


10,309 


140,209 


160-bit MQQ, two 
processors 


80,105 


6,212 


6,155 


79,903 



Table 8. Software speeds (in number of cycles) of several most popular public key algorithms on Intel 
Core 2 Duo processor in 64-bit mode of operation 



MQQ with 160-bits blocks is faster only in decryption (signatures), but is even slower than 1024-bit RSA 
in encryption (verification). However, we must emphasize the property that MQQ is highly parallelizable, 
and on systems with multiple CPU cores the speedup can go linearly with the number of CPU cores. 
That is shown in the last row of the Tabled where 160-bit MQQ was implemented in C, using OpenMP 
2.0 under Microsoft Visual Studio 2008. It is clear that further increasing of the number of CPU cores 
can speed up MQQ algorithm almost linearly with the number of cores. The next challenging task will 
be to implement MQQ in modern graphic cards (like Tesla'^" many-core processor from NVIDIA). 

The parallelizable nature of MQQ can be evidently shown in its hardware realization. Implemented 
in FPGA, MQQ is 10,000 times faster than DSA, RSA or ECDSA, and is comparable or even faster than 
the symmetric block cipher AES. 

In Table [9] we compare the speed of 160-bit MQQ with the speed of 1024-bit RSA realized in Xilinx 
Virtex-5 FPGA chip by the company "Helion Technology Limited" [20] . In the same table we also give 



the speed of AES (128~bit key) realized in Xilinx FPGA chip in the same Virtex-5 family and by the 
same company. We have to mention that our FPGA realization of 160-bit MQQ is fully pipelined, and 
actually needs two Xilinx Virtex-5 chips of the type: XC5VFX70T-2. 



Algorithm name 


1024-bit RSA, 
encrypt / decrypt 


160-bit MQQ, 
encrypt / decrypt 


128-bit AES, 
encrypt / decrypt 


FPGA type 


Virtex-5, 
XC5VLX30-3 


Virtex-5, 
XC5VFX70T-2 


Virtex-5 


Frequency 


251 MHz 


276.7 / 249.4 
MHz 


325 MHz 


Throughput 


40 Kbps 


44.27 Gbps / 
399.04 Mbps 


3.78 Gbps 



Table 9. Hardware performances of 1024-bit RSA, 160-bit MQQ and 128-bit AES on Xihnx Virtex-5 
FPGAs 



4.4 Speed of key generation for MQQ 

In the Section [3] we have given a randomized algorithm for generating MQQs which is based on the 
heuristic algorithm for finding MQQs of order 2^ described in subsection l2.3l The whole process of public 
and private key is extremely time-consuming. So, from the speed of the key generation point of view, we 
can say that our MQQ algorithm has much worse characteristics compared to other public key algorithms. 



5 Security analysis of the algorithm 
5.1 The size of the pool of MQQs of order 2^ 

It is very important to address the question of the size of the set of MQQs of order 2^ and of types 
Quad^Lino and QuadiLim. We have to note that the number of MQQs of different types is an open 
research question and that we do not know the exact number of such quasigroups, nor an approximation 
for the lower bound for that number. In fact, a more thorough analysis and experiments with smaller 
quasigroups (of orders 2^ and 2"^) can lead to the initial conjectures that their number is much larger than 
2^*°. However, we are sure that their number is certainly larger than 2^" since, by using Mathematica as 
a package for symbolic computations on a modest Pentium 4 machine (2GHz, with 512MB RAM), we 
have generated more than 2^'^ MQQs of type Quad^^Lirii and more than 2^*^ MQQs of type Quad^LiuQ. 
So, in total, the size of the pool set for 8 MQQs of order 2^^ is at least of order 2^^^. 



5.2 Chosen plaintext attack 

The chosen plaintext attack against some MQ scheme first was successfully applied by Patarin in [33] 
to break the MIA scheme [22]. The idea is very simple: given a system of MQ polynomial equations 
{yi = Pi(xi, . . . ,x„) |z = 1, . . . , n} as a public key, try to find relations in the x and y coordinates, by 
using plaintext/ciphertext pairs {x,y). 

It turned out that if the multivariate quadratic function is defined as F : x x"^ , then the relations 
between x and y coordinates can be expressed as a system of n bilinear equations Y^^=i Sj=i Pij^iVj + 
Y^7=i Pi.o^i + Po-jUj +/5o,o = where are (n + 1)^ unknown coefficients. By computing at least 

(n-f 1)^ plaintext/ciphertext pairs (x, y) a linear system of equations on unknowns can be established 
and solved. 



Our MQ PKC scheme is not defined by any particular F : x i-^ x'^'^ '^^ . Moreover, if someone try to 
estabUsh relations in the x and y coordinates in a similar way as Patarin did for MIA scheme, then those 
relations have to include all possible terms (not just bilinear terms) between x and y coordinates, thus 
rising the number of unknown terms to 0(2"). 

5.3 Isomorphism of polynomials 

The isomorphism of polynomials with one secret was initially introduced by Patarin [34j , and can be briefly 
formulated as: for two given sets of multivariate mappings P' : {0, 1}" {0, 1}" and P : {0, 1}" {0, 1}" 
by their polynomials (P{ (xi, . . . , a::„), . . . , P,'j(xi, . . . , a:„)) and {Pi{xi, . . . , Xn), . . ., P„(a;i, . . . , x„)) find 
(if any) an invertible affine mapping S : {0, 1}" {0, 1}" such that P' — S o P^ where the operation o 
is a composition of mappings. 

Several algorithms for the solution of the problem have been published in recent years. The first one 
was the algorithm proposed by Geiselmann, Meier and Steinwandt |17j , and the second was the algorithm 
by Levy-dit-Vehel and Perret [27]. Finally, in 2005 Perret presented an algorithm for efficient solving of 
this problem which proved that the scheme of Patarin is not secure [38j . 

The main difficulty for applying the techniques developed by Perret for attacking our scheme is that 
our scheme differs from that of Patarin in the sense that it can be generally described as P — T o P' oT = 
T{P'{T{x))) where T : {0, 1}" — > {0, 1}" is a nonsingular matrix and where the knowledge for P' is hidden 
from the attacker. The bijection P' : {0, 1}" — > {0, 1}" is constructed by an application of quasigroup 
transformations, and is not initially generated by some initial polynomial that will give information to 
the attacker. 

5.4 The MinRank problem and its solutions as tools for attack 

The MinRank problem can be described as follows: For a given sequence of matrices (Mi, . . . , Af„) over 
some field and a given integer r < n, find a linear combination of the matrices such that Rank(^^^^ \Mi) < 
r. The MinRank problem has been shown to be NP-complete over finite fields [5]. 

The attacks that involve solution of the MinRank problem, when r is relatively small, work like 
this: represent a given public key of n polynomials Pi(a;i, . . . , x„), . . ., P„(xi, . . . , a;„) in the form 
Pi{xi, . . . ,Xn) = x'^MiX where Mi are n xn matrices in a field. If the private key is constructed by 
polynomials P/(a;i, . . . , a;„) such that they can be described as P/ {xi, . . . , x„) = x'^AiX, and if the mini- 
mal rank r of Ai is much smaller than n (r = 0, 1, 2), then there are efficient algorithms for finding linear 
combination of the matrices Mi such that Part/c(^"^-^ XiMi) < r. The information for those linear com- 
binations, combined with the particular design principles is then used to break the system. For example, 
Goubin and Courtois [12] have broken the TTM system of Moh [35] in this way. 

The main difference between our PKC and systems where the solution of MinRank problems works 
is that the minimal rank r of the matrices Ai for the nonlinear part of our scheme are taken to be r > 8. 

Kipnis and Shamir [24] have used an instance of the solution of MinRank problems to attack the HFE 
scheme. They used the fact that HFE polynomials can be described as P{X) = J^l^o J2]ZQPij^'^'~^'^\ 
and the value of r is kept small (r < 13) in order to implement efficient decryption. 

This attack does not work on our scheme since we do not use any particular polynomial. In fact, 
if our nonlinear part P' is represented as a polynomial then the values for r are ~ n. Namely, the 
P' is obtained by several applications of different nonlinear quasigroup string transformation, which 
are leaving some parts still linear. Then those linear leftovers are transformed by another nonlinear 
transformation. The resulting quadratic bijection P' : {0, 1}" {0, 1}" can be represented in the form 
P'{X) = ErJo E;Jo p'.,X''+'' only for r « n. 

5.5 Attacks with differential cryptanalysis 

A few years ago, Fouque, Granboulan and Stern [16] have come to the idea to use the concept of differential 

cryptanalysis, that has been used successfully mostly against symmetric cryptographic algorithms, for 



multivariate schemes too. The basic idea is that for any finite field of characteristic q and for any 
multivariate quadratic function G : (F^)" i^q)"^ the differential operator between any two points 
x, A: e (Fg)" can be expressed as Lc.fc = G{x + k) — G{x) — G(fc) + G(0) and in fact that operator is a 
bilinear function. 

By knowing the public key of a given multivariate quadratic scheme, and by knowing the information 
about the nonlinear part of that multivariate scheme (the function F : x i—> x"^ ~^^), they showed that for 
certain parameters of some multivariate schemes it is possible to successfully recover the kernel of Lc.fc- 

This attack was successfully applied on Ding's scheme ^lOj, and afterwards, using the same technique, 
Dubois, Fouque, Shamir and Stern in [T^] have completely broken all versions of the SFLASH signature 
scheme proposed by Patarin, Courtois, and Goubin in |37j . 

Although the generic part of the differential attack is applicable on our multivariate quadratic scheme, 
the crucial part that is different is the fact that the nonlinear part in our scheme is not a function of a 
type F : X !—>■ x'^ . In our scheme, the nonlinear part is unknown to the attacker, since it is a part of 
the private key, and this renders the differential attack impoverished. 

5.6 XL attack and Grobner basis attacks 

The XL [7] procedure for solving MQ polynomials was proposed by Courtois, Klimov, Patarin, and Shamir 
in 2000 as an extension of an initial attack by Kipnis and Shamir [53] called relinearization. When the 
number of equations m is equal to the number of variables n, then the complexity of the algorithm is 2". 
Since our PKC scheme has exactly that property, we can claim that an XL attack is not efficient on our 
PKC. 

Recently XL algorithm has been proven ( |2l43j ) to be equivalent to F4 algorithm, a fast Grobner basis 
computation algorithm developed by Faugere [14j . Since the Grobner basis attack solves a multivariate 
polynomial system directly, any PKC based on multivariate polynomials is potentially vulnerable to this 
attack. In the case of HFE, Joux and Faugere [TF successfully attacked a system of 80 MQ polynomials in 
80 variables in 2003 using Faugere's F5 algorithm specialized for the binary field. The successful breaking 
of HFE by F5 algorithm is due to the fact that the secret polynomial in the HFE has a degree of only 
96. A HFE scheme need to have a polynomial of relatively low degree because it's performance depends 
on the algorithms for finding roots of that polynomial in G'i^(2"). The authors of [TS] even give a table 
where they project the upper bound for the efficiency of the Grobner basis attacks. The degree of the 
polynomials that can give HFE instances still feasible to be broken by the F5 algorithm goes up to 4096. 

By performing numerous attacks by Faugere's algorithms on our PKC scheme we came to the following 
conclusions: 

1. Faugere's algorithms successfully break our scheme up to n ~ 95 variables. 

2. For n > 100, Faugere's algorithms rapidly lose their efficiency against our scheme. 

We want to stress here that our decision to propose the security parameter for our PKC scheme (the 
number of Boolean variables n) to be: n > 140, was based both on the experimental experience that we 
gained during the design-break-tweak-design process and on the arguments that make our multivariate 
quadratic scheme different from all other such schemes developed so far. An important part in that design 
process were attacks based on Grobner bases and Faugere's algorithms. However, as it is the case with 
many public-key schemes, we do not have an ultimate security proof for our scheme. 

To summarize: as a general claim for our MQQ scheme with n variables we say that its strength is 
2?. We base our claims on the analysis of the power of the methods using Grobner basis to solve random 
multivariate quadratic systems of equations. 

Namely, the authors of [TS] give a formula for computing the upper bound for the efficiency of the 
Grobner basis attacks. Based on that analysis we are giving here the Table [TU] with the projected com- 
plexity for solving random multivariate quadratic systems of equations by Grobner basis algorithms for 
different number of variables n. Based on that projection in the second row we are giving the projection 
for the strength of our PKC scheme. 



n 


140 


160 


180 


200 


Complexity 

of Grobner basis attacks 


287 


299 


2112 


2125 


Strength 
of our MQQ PKC 


270 


280 


290 


2100 



Table 10. Complexity of the Grobner basis attacks for different number of variables n and the strength 
of MQQ against Grobner basis attacks. 



5.7 Attack by an anonymous PKC-2008 reviewer 

In this subsection we will describe an attack that has been proposed by an anonymous reviewer of the 
11th International Workshop on Practice and Theory in Public Key Cryptography - PKC 2008, held in 
Barcelona, Spain in March 2008. 

Let us take a simplified version of the algorithm where P = T o P' oT (only one linear transformation 
T is used) and in this subsection let us denote by S the set of all n-bit Boolean vectors, i.e., S = {0, 1}". 
Thus, P, P' and T are now maps from S to S, and elements of S are the n-tuples {xi,X2, ...,a;„), where 
Xi G {0,1}. 

The first step in the attack will be to identify an element s of S, that under the linear transformation 
T has the form: 

T(s) = (0, 0, . . . , 0, Xk+l,Xk+2, • ■ • , Xn), 

that is, such that its first k coordinates are zero. Let Sk be the space of elements of S whose first k entries 
are 0. 

Selecting elements of 5* at random, the probability of finding s G S'/j is , so finding an clement of 
Sk reduces to being able to know that such an element has been found. To do this, notice that since the 
first k coordinates of T(s) are all zero, then for every element r G S, the first k coordinates of 

P' o T{r) 

and the first k coordinates of 

P' o T(r + s) 

are equal, so the vector space generated by elements 

{P{r + s) - P{r)\r e S} 

has co-dimension k in S. This last condition can be easily verified. 
The attack is as follows. 

1. Pick a random s G S. 

2. Check if ,s is an element of T~^{Sk) using the previous test. 

3. Repeat until a basis for T~^{Sk) is found. 

The reasons why wc boldcd the Step 2, the phrase "for every element" and several other phrases in 
the forthcoming text, will become clear at the end of this subsection. 

If T(s) G Sk, then we have seen that the first k coordinates of P' o T(.s + r) coincide with the first k 
coordinates of P' o T{r) for every r, hence P' o T{s + r) — P' o T{r) is an element of Sk (this is actually 
how one identifies that T{s) G Sk). Since T is hnear, T{P' o T{s + r)-P'o T{r)) = P{s + r) - P(r). 
Notice that this is T{s') for s' an element of Sk- In other words, when one picks a random s and checks 
if T{s) is an element of Sk by checking that the co-dimension of {P{s + r) — P{r) \ r G S} is k, this 
space of co-dimension k is the same as T{Sk)- 



Using a modification of the previous argument one can recursively identify of the subspaces of S 
such that first k coordinates are zero. Again, as a by-product of this attack, the image of such subspaces 
under T is recovered. 

The attack described above is based on a very nice idea, namely to apply linear algebra theory in 
order to recover one part of the private key (the linear transformation T). However, the complexity of the 
attack is much worse than the projected security of our scheme that is 2^ . The parts that we have bolded 
are clearly showing the complexity of the attack. Namely, in the first part of the attack (the Step 2) the 
attacker needs to find out an element s such that it belongs to T~^{Sk)- In order to do that, he pics a 
random s and then he have to check for every r G that {P{r + s) — P{r) | r G S"} has co-dimension 
k in S. The number of elements in 5* is 2". Thus, finding only one vector s d Sk needs 2" operations, and 
recovering the whole basis of the discussed subspaces under T will need many more operations. Moreover, 
the arguments that the attacker does not need to check all elements r £ S, but just a small number of 
random elements r € S that satisfy the condition that the first k coordinates of P{r + s) and P{r) are 
equal is completely wrong and has no mathematical merit. 

6 Conclusions 

We have constructed a public key cryptosystem MQQ by using quasigroups. The main idea is to represent 
quasigroups as vector valued Boolean functions, to find a class of quasigroups that have degree at most 2, 
and then to use quasigroup string transformations to construct bijective trapdoor multivariate quadratic 
polynomials. 

The speed of encryption/ verification of our scheme is similar to other MQ schemes, and the speed of 
decryption/signing is in the range of 500-1000 times faster than the most popular public key schemes. 
Moreover, the algorithm offers flexibility in its implementation from parallelization point of view. 

By learning about the weaknesses of all existing MQ schemas, we have designed a scheme that combines 
several known structures to create secure multivariate quadratic trapdoor functions. 

Our scheme is resistant against known successful attacks on other MQ schemes, since its design 
principles does not include the known design weaknesses of other MQ schemes, one of which is that there 
exists a given multivariate quadratic polynomial (or a set of MQ polynomials) with relatively low degree, 
on top of which the whole PKC scheme is constructed. That design principle has been the necessary crib 
for successful attacks of many MQ schemes. In our PKC scheme, there is a fundamental difference in that 
we have defined a huge class of quasigroups called Multivariate Quadratic Quasigroups which gives MQ 
polynomials after certain types of operations. 

It is an open research problem to count the number of MQQs of order 2^ and to find ways to construct 
MQQs of higher order (for example of order 2*). Finding such quasigroups will increase the security and 
will speed up the process of decryption/signing even more. 
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APPENDIX 



AN EXAMPLE OF THE CREATION OF A PRIVATE AND 
A PUBLIC KEY WITH n = 20 BITS 



This example is for n = 20. Since even with such a small example, the number of terms in some 
expressions will increase to more than 100, in the notation we will use horizontal lines to make a distinction 
between different coordinates. 

We will use the simplified version of the algorithm where P = T o P' oT. Let x = {xi,X2, ■ ■ ■ , X20) be 
a vector of 20 Boolean variables. The private and the public key is created by the following procedure: 



1) Set T = 
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where T is a nonsingular 20 x 20 Boolean matrix generated uniformly at random; 



2) Set 

*1 {X1,X2, X3,X4, X5,X6,X7, Xs, Xg, Xio) = 



1 + + 


X2 + + XJ + XQ + XIQ 




1 + XQXl 
+ 

+ X1Q 


+ x^x-i + xiQXi + XI + X2 + X4^ + X2XJ + a;3a; 
X2X% + x^x^ + X4Xg + X2X9 + X3X9 + X^XQ + 


7 + X4X7 + 
X9 + X5X10 + 


1 +:^6^1 


+ XQX]^ -\- XI -\- X2Xg + X3Xg + xg + X4X7 + xy 


+ X4Xg + 


+ XS + 


■XQ + X3X9 + X^^XIQ 




1 + 3^8X4 
+x^xY + 
+ ^10 


+ XQX4 + a;4 + X5 + x\xq + X2X6 + X3X6 + xi 
xixg + X2X% + xsaJg + icg + xg + a;ixio + 3^23; 


xy + X2X-7 + 
10 + 3^3^10 + 



1 + xjxi + xiQXi + xi + X2 + x^ + + X2XJ + x^xj + + xg + 



- +3^23^10 + ^3^10 



*2(CC1, ir2, X3,X4, XSyXe-, X7y X8-,X9, xio) = 



'xi + X2 + a:^6 + ^9 + ^10 

X8X2 + X2 + a;3 4- 0:3x5 + X5Xg + xg + X3X7 + X4X7 + X5X7 + 
+ XIX8 + x^xQ + X4X8 + xgxg + xg + X3X9 + X5X9 + X3X10 + 

+ X5X10 + xio 

1 + xQxi + xiQXi + xi + X2 + X4 + x^ + x^xj + X4XJ + Xg + a:;2a;9 + 

+ ^2^10 

X7X3 + X9X3 + xio.T^3 + x^ + X4 + x^ + xixQ + X2XQ + X4XJ + X7 + 
+ xixg + x2T,g + r^xc) + 3:4x10 

_X3 + X4 + xi.r,.; + X2.tfi + X7 + xg + xiXQ + X2X9 + x^q 



^3{X1,X2, X3,X4,X5,X6,X7, X8, X9, Xio) = 



+ x^xj + 334x7 + r.r^XY + .-(■2'^-8 + -'■3'-''a + ^'4'>'8 + ^■5'-''8 + ■'^3^9 + 
+ X4XQ + x^xc) + ,1:9 + X2J-'io + 

XQXl + XJXl + XgXl + XI + X^ + XQ + X2XQ + XQ + X2XJ + 

+ ^2^8 + ^2^10 + ^3^10 + ^4^10 + ^5^10 + ^10 

1 + XQXl + XJXl + XQXl + XlQXl + XI + X4 + X2XQ + X2XJ + 

+ XJ + X2XQ + + xg + X3XIQ + X4X1Q + x^xiQ + 3:10 

1 + XgXi + XlQXl + xi + X4 + XQ + X2XQ + XQ + X^Xj + X4XJ + 

+ X5XJ + X2X1Q + 3:3x10 + X4XIQ + X^XlQ 

1 + XQX2 + XIQX2 + X2 + X4 + X5 + x^xj + X4XJ + 3=5x7 + 
-+X7 + ^ixg + a;9 + a;ixio + 3^3x10 + X4a;io + X5X10 + a^io 



3) The tuple (T, *i, *2, *3) is the private key; 



4) Set x' = T-x^ = 

-X4 + 3^5 + 3^7 + ^11 + ^14 + ^15 + ^16 + ^20 

XI +334 + x^ + XQ + XY + XQ + 3=10 + ^11 + 3:12 + 

+ 3313 4- 3:14 + ^15 + ^19 + ^20 

XI + X2 + + X4 + XQ + xj + XQ + xg + xi() + 

+ 3313 4- xi4 + a:i5 + xiq + xij + xjg + xig 

x^ + X4 + x^ + xg + xiQ + xii + 3312 + 3314 + 3: j 7 + xig 

3:1 + 332 + 3:3 + 3:7 + xg + XIQ + 3315 + X17 + xig + a;20 

a;i + X2 + 333 + X4 + x^ + XQ + xy + Xf^ + xg + x^q + 3:ii + 

+ X13 + + xiQ + + + '^19 + ^20 

3^2 + ^^4 + ^5 + ^6 + ^'9 + ■'=10 + ^11 + ^12 + ^^15 

XQ + xj + XQ + xio + X12 + + + 

3:2 + ^7 + ^8 + ^9 + ^10 + ^11 + ^12 + 3'14 + ^15 + 

+ XIQ + xiY + X20 

a^l + X2 + X3 + X4 + X5 + XQ + X7 + xg + X13 + 

+ X17 + xi8 + X20 

X2 + X4 + xg + X7 + xg + X9 + xiQ + Xig + X20 

'^S + ^^4 + ^6 + ^8 + ^10 + ^13 + '^le + ^17 + '^IQ 

X2 + X3 + X4 + xio + X14 + XI6 + xig 

XI + X3 + X7 + xiQ + xii + xi2 + xi3 + X15 + XI6 + 

+ X17 + xig + X20 

X3 + + 3.'5 + XQ + xio + xii + X12 + X13 + X14 + 

+ X15 + 3:18 

X2 + X3 + X4 + X5 + + ^14 + ^18 + ^19 + ^20 

XQ + xg + XIQ + X12 + X14 + + X16 + X20 

X4 + X5 + X7 + XIO + ^12 + X14 + xig + X17 + xig + 

+X19 + X20 

XI + X2 + xg + xg + xi2 + xi3 + xi5 + xi7 + xig + 

+ X1Q + X20 

X2 + X4 + X5 + XQ + X7 + Xg + Xg + Xii + X15 + 
- +®17 + ^18 + ^20 



5) Represent the vector x' by chunks of 5 bits, i.e. x' = X1X2X3X4; 

6) Compute = Y1Y2Y3Y4 such that Yi = Xi, Y2 = Xi *i X2, Y3 = X2 *2 X3 and Y4 = X3 *3 X4. The 
following relations will be obtained: 

Yi = (yii, 2/12, yi3, 2/14, yi5), where 

yil = X4 + X5 + X7 + xii + xi4 + xi5 + xi6 + X20> 

J/12 = ®1 + 2:4 + X5 + XQ + X7 + xg + xio + xii + X12 + +X13 + xi4 + xi5 + Xig + X201 

yi3 = ^^1 + a;2 + ^1^3 + ^4 + ^6 + ^7 + ^8 + ®9 + ^10 + +®13 + ®14 + ®15 + ^16 + =^17 + =^18 + ®19' 

V14 = X3 + X4 + X5 + xg + + ^11 + ^12 + ^14 + ®17 + ^19i 

J/15 = XI + X2 + X3 + X7 + xg + XIO + ^15 + ®17 + ®19 + ^20' 

Y2 = (^21,^22,^23,^24, 2/25), where 

■y21 = 1 + XI + X4 + X7 + xg + X12 + X13 + X15 + xiq + X17, 

y22 = l+X7Xi+X9Xi+xioxi+xi3Xi+xi4Xi+xi5Xi+xi6Xi+xi7Xi+xif5Xi+xi9Xi+X20Xi+xi+X2+X2X3+X3 + X4+X4X5 + 
X4Xg + xgxg + X2X7 + X6X7 + X7 + X3Xg + X4Xg + xgxg + X7X8 + xg + X4XQ + xgxg + X2Xiq + X4X1Q + X7X1Q + xgx^o + + X2X11 + X3X11 + 

^6^11 + ^7^11 +^8^11 +==3 ^12 + 3=4 ^12 + ==8 ^12 + xioxi2 + xiixi2 + X3X13 + X5X13 + xgxi3 + X11X13 +xgxi4 + X7Xi4 + xiixi4 + xi4+X2Xi5 + 
X4X15 +X5X15 +X(5Xi5 + X7Xi5 + xgxi5 + xioxi5 + xi5 +X5Xie +xexie + x-^xiq + xgxiQ + xgxiQ + x hxiq + x i2X iq + x 14x15 + X2X17 + X5X17 + 
X7X17 + X9X17 + X1QX17 + X13X17 + X15X17 + xiexi7 + X3X18 + +X4Xig + xgxig + xiQXig + xiixig + X2^2^18 + ^13^18 + ^16'T=18 + ^3^=19 + 
X14X19 + X4X20 + xex20 + X7X20 + X8X20 + xiox2n + ^12^20 + ^13^20 + ^14'^20 + ■'=193'20 + ^■20-^ 

V23 = l + X2Xi+X5Xi+X7Xi+xioxi+xiixi+xi5Xi+xigxi+xi9Xi+xi+X2X3+X3+X2X4+X3X4+X2X5 + X4X5+X5 + X2xe+X5XQ + 
XQ + X3X7 + X4X7 + X5X7 + xeX7 + X7 + X3Xg + X4Xg + X5Xg + X4X9 + X5X9 + xgxg + X3X1Q + xgxiQ + xgxig + xig + X4X11 + xgxn + xgxn + 
xgxii + xgxii + xioxii + X2X12 + X3X12 + X5X12 + X7X12 + X8X12 + X9X12 + X11X12 + X12 + X2X13 + X3X13 + X4X13 + X7X13 + xgxi3 + X12X13 + 
X3X14 + xgxi4 + X9X14 + xiO'T=14 + '^13^14 + ^2'^15 + ^3^15 + '^4^15 + ^6'^15 + ^7^15 + '^10^15 + ^11^15 + 3312x15 + X13X15 + X15 + X3X17 + 
^8^17 + ^9^17 + 10^17 + ■'^13 17 + ^2 ■'^18 + ^5 ^ 18 + '^^e ^ 18 + 7 ^ 18 + ^9 ■'^ 1 8 + ^13''=18 + 1 4 ^ 18 + 1 7 ^ 1 8 + x ig + x 2 x ig + X4 x 1 9 + X5X19 + X7Xig + 
^8^19 + ^9''= 19 + ■'=11''=19 + ■'^12^19 + ■'^18^19 + ^19 + ■^=3^20 + ^4 3'20 + ^5 ■'=20 + ■'=9 ■'=20 + ■'=10^20 + ^^11^20 + ^^12^20 + ^14^20 + ^17^20 + ^■'19^20 > 

V24 = l + X4X3 + X5X3+X5X3+X7X3 + X2^0''=3+''=11^3 + ^17^3+^19^3 + ^20^3+^T=3+^T=2^T=4+^T=4+^T=4^5+^4^6 + ^5^6+^5^7 
XQXg + xg + X4XiQ + X6XiQ + X7X1Q + X2X11 + X4X11 + X5X11 + X6X11 + X10X11 + X11 + X4X12 + X5X12 + X6X12 + X7X12 + X10X12 + X11X12 + X12 + X2X13 + 

^5^13 + ^7^13 + ^10^13 + ^'ll ^■'13 + ''=43'14 + ■'=5^14 + ■'=6^14 + ■'=7^14 + ^10^14 + ^11^14 + ^14 + ^4^15 + + 
^7^16+^10^16 + ^11 '^16+ ■'=15^16 + ^16 + ■^6''= 17 + ■'=7^17 + ^9^17 + ^12^17 + ^14^17 + ^17 + '3=4 ^18 + ^9^18 + ^11'^ 

^6^19 + ^7^19 +^11^19 +^12^19 +^13^19 +^14'T=19 +^16^19 +^4^20 +^rK'=20 +^9''=20 + ■'=10^20 + ^11^20 + ^12^20 + ^14^20 +^17^^ +^20' 
1/25 = 1 + X1X2 + X3X2 + X7X2 + X10X2 + X11X2 + X12X2 + X13X2 + ^15x2 + X17X2 + xigX2 + X20X2 + X1X3 + X3 + X1X4 + X3X4 + xr, + xq + 
XIX J + X4X7 + xixg + X3X9 + X7Xg + xg + X3X1Q + X4X10 + X7X10 + xgxiQ + xiq + X3X11 + X4X2^i + X7X11 + xgxn + X1X12 + X4X12 + xgxi2 + 
^10^12+^11^12 + ^12 + ^3^13 + '^4^13 + ^7''=13 + 9 ^-^ 13 + ^-^ 1 2 1 3 + ■'=13 + x 1 x 14 + x 3 x 1 4 + x 7 x ^^4 + x 1 q x 1 4 + x 1 1 x 14 + x 1 2 x 1 4 + x 1 3 x 14 + x 1 x 1 5 + 
X4X15 + X9X15 + X10X15 + X11X15 + X13X15 + X14X15 + X15 + X15 + X1X17 + X4X17 + xgxi7 + X10X17 + X11X17 + X13X17 + X14X17 + xixig + X4Xig + 
=«=9^18 + ^10^18 + ^11^18 + ^13^18 + ^14^18 + ^18+^19 + ^3^20 + ^4^20 + ^7^20 + 3:9x20 + x 12x20 + 3:14x20 + x 15x20 + x 17x20 + xigx20 + X20' 

Y3 = (2/31,2/32,2/33,2/34,^35), where 

?^31 = 3=2 +'''3 + 3=5 +X7 + X9 + X1Q + X12 + X13 + X15 + xig + X2O1 

3^32 = a=6Xi+X8Xi + xiQXi+xi2Xi+xi3Xi + xi7Xi + X20Xi+xi+X2a;3 + X3 + X3X4 + X2X5+X3X5+X4X5+X5+X3X6 + X4X6+X5X6+X3X7 + X4X7 + 
X6X7+X2Xg + X3X8 + X4X8+X5X8+X7Xg+X8 + X3X9+X4X9 + X9+X4XiQ+X7Xio + xgXiQ + X2Xii+X6Xii+xgXii+X3Xi2 + X4Xi2+X5Xi2+X8Xi2 + 
3:9'''12+a:i2+a:2'i'13+3=5Xi3+X7Xi3-|-xiQXi3 + xiiXi3 + X2Xi4 + X4Xi4 + X5Xi4+X8Xi4 + xioXi4 + xiiXi4 + xi3Xi4 + xi4 + X3Xi5 + X4Xi5 + X6Xi5 + 
3'8®15+='^10^15+®13='=15 + '''2 3=l6+®3^16 + '''5'^16+=''6'''16+^7'''16+^8'''16+^9^16+^15^16+®2a'l7 + X3Xi7+X4Xi7 + X5^ 

3=12 3=l7+xi4Xi7+xi5Xi7+xi6Xi7+xi7+X2Xi8 + X3Xig + X5Xig+X8Xig+xiQXig+xiiXig+xi2Xig + xi3Xig + xi6Xig + xi7Xig + xig + X3Xi9 + X4Xi9 + 
a=7'''19+='=8'''19+''=9'''19+^ll'''19+''=12'i'19+''=15'''19+''=17'''19 + ^18'''19 + 3:3'''20 + '''4'i'20 + '''5^20 + '''8^20 + '''9^20 +'''17 + '''20 +3= 18 '''20 +3= 19 '''20 +3=20> 



X^XY+XQXY + X2XS+X4^XQ+X^Xf^+X■J■Xf^+X3XCJ+X4^Xg+X^:iXg+XQXQ+X2XlQ+XQXlQ+XQXlQ+Xr^Xll+X4Xll+XQXll+XgXll+XlQXll+Xl 

^5^12 +^6^12 + 3=73; 12 +3^2^13 + ^3^13 + ^5 3^13 +^6^13 + 3=7^13 +^83^13 +^9^13 + 3=10^13 +^11^13 + 3=13 + ^3^14 + 3= 
^12 ^14 + ^13 ^14 + ^3 3=15 +^5 3=15 + 3=7^ 15 +3=8 ^15 + ^10 3=15 + ^13 ^15 + ^14 3=15 +^2 3=16 + 5 ^16 +3=6 ^16 + ^9 3=16 + ^10^1 
^16+^2^17 + ^5^17+3;6^17+3;9Xi7 + xioa;i7 + xiixi7 + xi2a;i7+3;i33;i7 + ^17+^5^1S+3;i0^18+3;i2^18+^15^1 
^3^19+^4^19+^5^19+^8^19+3=9^19+^11^19+^12^19+^16^19+^17^19+^18^19+^5^20 + ^10^20 + ^12^20 + ^15^20 + ^16^20 + 

V34 = ^2^1 + ^3^1 + xjxi + xgxi + xiixi + xi^^xi + x^^x^ + xi^xi + xijxi + x^^xi + x^ + X2X2 + ^3 + X2X^ + ^5 + x>^xq + xq + X2Xj + 
3=2X8 + X5X9 + X2XIQ + XQXio + ^9^U) + ^10 + ^3^=11 + a=5^11 + ^7^11 + ^8^11 + ^10^11 + ^11 + ^3^12 + ^=6^12 + ^7^12 + ^8^12 + ^9^12 + 
^2^=13 + ^5^13 + 3=10^13 + ^11^13 + a=2^14 + ^lix\4^ + xi2^1A ^lA + ^^^1^ +^=6^15 +^9^15 + 3=10^15 + ^13^15 +^15+^3^16+^5^16+^6^16 + 
^7^16 + ^8^16 + ^93=16 + ^10^=16 + ^12^16 + ^14^=16 + ^I^^IQ + ^16 + ^5^17 + ^=6^17 + ^9^17 + ^10^17 + ^13^17 + 3;i6^17 + ^17 + ^23^18 + 
^5^18 + 3=10^18 + ^11^18 + ^15^18 + ^17^=18 + ^18 +3=3^=19 +^6^19 + ^7^19 +^8^19 +^9^19 + ^14^19 + 'i'16'^19 + 3^19 + 3=2 ^^20 + ^3^20 + '''5'^20 + 
XJX20 + a=8^20 + ^10^20 + ^11^20 + ^12^20 + ^13^20 + ^14^20 + ^16^20 + ^18^20 + 3=19x20- 

y35 ^ ^2^1 +X4X1 + XQXi + x-^xi +X9X1 + xiixi + X14XX + X20X1 + x ^ + X2 X3 + X3 X4 + X4 + x 5 + X3 xq + xq + x 2 X7 + X3 x 7 + X4 x 7 + xg X7 + 
X2XS +X4Xg + xgxg +X7X8 + X3X9 + X7X9 + xgXQ + xg + xiQ + X3X11 + X7X11 + xgxii + X2X12 + 3=4x12 + a;QXi2 + a=7^12 + 3=9x12 + X11X12 + 3=2^=13 + 
X4X13 + XQX13 + X7X13 4- xgxi3 + X11X13 + X2X14 + X3X14 + X4X14 + X6X14 + XSX14 + X9X14 + X11X14 + X12X14 + ^13x14 + ^2x15 + X4X15 + 
3=6^15 +3=7x15 +X9X15 + X11X15 + x 14x15 + X15 +X2X16 +X4X16 +xqxi6 +X7X16 +^9x12 + xiixi6 + x 14x15 + X2X17 + X4X17 +xexi7 + X7X17 + 
3=9a=17 + 3=113=i7 + xi4Xi7 + xi7 + X2Xi8+X4Xi8 + XQXis +X7X1S +X9Xi8+xiixi8+xi4Xig + X2Xi9 + X4Xi9+X6Xi9+X7Xi9+X9Xig + xiixig + 
3=143=19 + 3=2^=20 + 3=3x20 + 3=43=20 + 3=63=20 + 3=83=20 + 3=9x20 + 3^113^20 + 3^123=20 + 3^13x20 + 3=15x20 + xiex20 + X17X20 + xi8X20 + 3=igx20 + 3:20' 

I4 = {y 41, y 42, y 43, y 44, 1/45), where 

1/41 = X4Xi+X5Xi+X7Xi+X8Xi+xgxi+xioxi+xi23=i+xi3Xi+xi4Xi+xi5Xi+xiexi+xi7Xi+xi+X3+X4+X3X5+X5+X3XQ + X5X7 + 
XQX7 + X2xg + X3xg + X4xg + xex9 + X8X9 + X4X10 + 3:5x10 + X7X1Q + X8X10 + ■'=10 +3:33:11 +X4X11 +XQX11 +X8X11 + xio3:ii 4- X2X12 + X3X12 +X5X12 + 
3=63=12 + 3:7x12 + X10X12 + X2X13 + X3X13 +X4X13 + X5X13 + X8X13 + X11X13 + X13 + X3X14 + X4X14 + X5X14 + X8X14 + X9X14 + X2X15 + X4X15 +X5X15 + 
3=73:15 +3:33=15 + X13X15 + X15 + X2xie +X5X16 +X6X1Q + X10X16 + X11X1Q +X13X1Q + x 15x10 + xie +X3X17 +X4X17 + X6X17 + X8X17 + X11X17 + 
xi2Xi7 + xi3Xi7 + xi4Xi7 + X2Xig+X3Xi8 + X4Xig+X5Xi8 + X8Xig4-xgxi8 + xiQXig+xi3Xig+xi4Xi8 + xiQXig+X2Xig + X3Xig+X5Xig + XQXig + 
^7^19 + 3=1 13:1 g +3:i2 3:ig+xi4Xig+xi6Xig+xig +X2X2n + 3:4 X20 + xq x 20 +3:7x20+3:8x20 +3: 10 3:20 +3:12 3:20 +3:13 3:20 +3:15 3:20 + 3:16 3:20 + 3=193^20' 

1/42 = 3:5x2 + XSX2 + xgx2 + X10X2 + xiiX2 + X13X2 + X15X2 + xiqx2 + X17X2 + xigX2 + X19X2 + X203:2 + X2 + X4 + X1X5 + X4X5 + X3X6 + 
X4Xg + X5X7 + X7 + X3X8 + X5Xg + XQXg + X7Xg + X3Xg + X7X9 + xgxg + xixiq + X3X1Q + X5X1Q + X7X10 + xig + xixn + X4X11 + X5X11 + X7X11 + 
3=83^11 + 3=12 + 3=3x13 + X5X13 + XQX13 + X7X13 + xgxi3 + X11X13 + X13 + X3X14 + X4X14 + xexi4 + xgxi4 + X10X14 + X13X14 + X14 + X1X15 + 

3=43:15 + 3:53:15 + X7XI5 + X8X15 + XI3XI5 + X4XI6 + X5XIQ + X7XIQ + XIQXIQ + XllXlQ + XI3XIQ + XI4XI6 + 3=15X15 + X1X17 + X4X17 + X5X17 + 

^6^17 + 3:73:17 + 3:gxi7 + X1QX17 + X14X17 + X1QX17 + X3Xig + X7Xig + xgxig + X17X18 + 3:i8 + 3:3x19 + xgxig + X7Xig + X8X19 + xigxig + 
a;i4xi9 + xiQXig + xi7Xig + xig + X4X20 + ■3=53:20 + 3:63=20 + 3:73:20 + 3:11x20 + X13X20 + 3:^15x20 + xiex20 + X17X20 + 3:igx20 + X20, 

1/43 = 1 + 3:3x2 + X4X2 + XQX2 + xgx2 + X10X2 + X17X2 + xi83:2 + 3:20^3=2 + 3:2 + 3:3x4 + X4 + X1X5 + X3X5 + X4X5 + X5 + X4XQ + xq + X3X7 + 
X4X7 + X6X7 + X5X8 + XQX8 + X4Xg + X5X9 + xgxg + X7Xg + xg + xixiQ + X3X1Q + X5Xin + X7X10 + xio + xixii + X3X11 + X4X11 + X5X11 + xgxii + 
^93:11 + 3:3x13 + X4X13 + xgxi3 + X3X14 + X4X14 + X6X14 + xgxi4 + X1QX14 + X13X14 + X1X15 + X3X15 + X4X15 + X5X15 + X8X15 + xgxi5 + X15 + 
3=63=16 + 3:83=16 + 3:93:16 + 3:ioxiQ + X13X16 + X14X1Q + xiQ + X1X17 + X3X17 + X7X17 + X8X17 + xgxi7 + X1QX17 + X11X17 + X13X17 + X14X17 + 
3=153=17 + 3:4x18 + X5Xig + XQXig + X7Xig + X11X18 + xi3Xig + X15X18 + xigxig + X17X18 + xi8 + X3Xig + X4X19 + X5X19 + xgxig + xiQXig + 
^11=^19 + 3:143:19 + 3=15X19 + xiQXig + xigxig + xig + X3X20 + 3:7x20 + X8X20 + X17X20 + 3=20' 

y44 = 1 + 3:5x1 + XQXi + xgxi + xiixi + X12X1 + X14X1 + xiqxi + X17X1 + X20X1 + xi + X2 + X2X3 + X2X5 + X3X5 + X5 + X2Xq + X4XQ + 
3=6 + 3=23:7 + X5X7 + XQX7 + X5Xg + X4Xg + XQXg + X7Xg + X3X10 + X4X10 + X5X1Q + x^xiq + xgxig + X5X11 + xgxn + xgxn + xigxn + X3X12 + 
X4X12 + X5X12 + X8X12 + xgxi2 + 3:2x13 + X3X 13 + X4X13 + X11X13 + X2X14 + X4 x 14 + X5 x 14 + x 7 x 1 4 + xg x 14 + x 1 3 x 14 + X3 x 15 + X4 x 1 5 + X6X15 + 
3=83=15 + 3:103=15 + 3=133:15 + 3:23=16 + 3:5x16 + xgxiQ + 3:gxi6 + X11X16 + ■'=14''=16 + 3=153:16 + 3:i6 + ■'=33=17 + 3=63:17 + 3:7x17 + xi2''=17 + ^3=133:17 + 
^15=^17 + -^-n + 3:2^=18 + ■1=33:18 + ■'"-4''=18 + 3:6^3:18 + ^3^93:18 + ■3:iO'i=18 + 3=11X18 + ■'=12''=18 + 3:i3''=18 + ■1=173=18 + 3:i8 + ■'=43:19 + 3:5''=19 + 3:63=19 + ■'=73=19 + 
a'S'^ig + ■'■9^'-19 + ■'■123'19 -r ■'■13'''19 + ■3:i5^3:i9 + 3:i7Xig + xig + X2X20 + ^'=103:20 + ■':i33;20 + 3:i4''=20 + 3:i6''=20 + 3:173=20 + ■';i83'20 + ■'";igx20 + ■'=20' 

1/45 = 1 + ■'-3^'-2 + ■•:r/-^-2 -+- ■'-63:2 + 3:7x2 + X13X2 + X14X2 + xi6X2 + :'=18''=2 + ■':20''"-2 + 3:2 + :'=i:'=5 + ■'=33=5 + ■'=5 + ^'=13=6 + X4X6 + X5X7 + XQX7 + 
xixg + x^xg + xg + .r4,(;g + .(;63:9 + 3=7x9 + X3X1Q + X4Xi,i + X5X1Q + X6Xio + ■'=93:i0 + 3; 1 x 1 1 + X5X11 + xqxh + xgxn + xiqxh + xn + X1X12 + 
X3:(;i2 + X4X12 + :':5^'-12 + ■'-83=12 + ■';gxi2 + ■'=33:13 + 3:4x13 + X11X13 + xi:(;i4 + X4X14 + X5:(;i4 + :(;7:(;i4 + xgxi4 + X13X14 + X3X15 + X4X15 + 
3:63:i5+3:8 3:i5+3:i03:i5+3:i33:i5+3:i5+xixiQ+X5Xi6 + xgxi6+X9Xi6 + xiixi6+xi4Xi6+xi5Xi6 + xiQ+xixi7 + X3Xi7 + XQXi7 + X7Xi7 + 
3=12^17 + 3=13x17 + X15X17 + X3XI8 + X4XI8 + XQXig + X9XI8 + 3=10X18 + 3=11X18 + 3=i23;i8 + 3=13x18 + 3=17x18 + xi8 + 3=4x19 + X5X19 + xqxiq + 
3:7'''19 + 'i'83:i9 + '''93:19 + 3;i2'i'19 + '''133519 + 3;i5a;i9 + 3:i7a;i9 + a;ia;20 + 3:ioa;20 + 3:133:20 + 3;i4a;20 + 3:16X20 + '^17'^2Q + 3:i83;20 + 'i'19'''20; 

7) Set a 7-dimensional vector Z that has all 7 coordinates as Boolean linear functions: 

z = yi||y2,i||^3,i = 



X4 + X5 + X7 + 


xii + X14 + X15 + X16 + X20 




3=1 + 3=4 + X5 + 

+ 3=13 + 3=14 + 3: 


XQ + X7 + xg + X1Q + a;ii + 3=12 + 

15 + 3=19 + 3=20 




XI + X2 + X3 + 
+ 3=13 + 3=14 + 3: 


X4 + X6 + X7 + X8 + xg + X10 + 
15 +3=16 + 3:17 + xig + X19 




3=3 + 3:4 + 3=5 + 


3=9 + xiQ + xii + X12 + X14 + X17 + X19 




x-Y -\- X2+ X3 + 


^^7 + 3:8+ xio + 3;i5 + X17 + X19 + 0=20 




1 + Xl + X4 + X 


7 + 3=8 + 3^12 + 3113 + + 0=16 + X17 





_X2 +3:3 + X5 + 2=7 + xg + a;io + 3;i2 + 3:13 + a;i5 + 3;i8 + 3;20- 



8) Transform Z by the bijcction of Dobbertin: 
W = 'Doh{Z) - {WuW2,Wz,W4,W^,Wq,W7), 
where 



Wi = 1 + X2a;i + x^X\ + x^x^ + a;7a;i + sciqxi + x\\x\ + a;i23=i + x\^x\ + a;i4a;i + x\^x\ + xigxi -\- x\ + x^ + 3:3x4 + 3:4 + 3:23:5 + xq + 
3:33:7 + 3)3X7 + 3:4x7 + 3:53:7 + X23:g + X3»8 + 3:5X8 + 3:73:8 + Xg + 3:5339 + ^53:9 + »23:io + 3:43:10 + 3:53:10 + 3;7a;iQ + 3:ga;iQ + ^93:10 + 3;iQ + »4 3:11 + 
3:53:11 +3)6 3:11 +X7Xii+3:gXii+X9Xii+xiQXii+X2 3=12 + 3:3x12 +3:4 3)12+3:5 xi2 + 3;gXi2-|-3:iQXi2 + 3;iiXi2 + 3:i2 + 3:3 xi3+X5Xi3+xgXi3 + 
3:11 3:13 + X2 3;i4 + X4X14 + Xg 3:14 + X7X 14 + xgx 14 + X9X14 + X 10 3:14 + X 12 3:14 + Xi4 + X2 3:15 + X3X 15 + X4 3:15 + X5X15 + 3:gxi5 + xiQX 15 + xi 1X15 + 
3:143:15 + 3:23:16 + 3:33:16 + 3:4X16 + X7XI6 + 3;gXi6 + 3:123:16 + 3:14X16 + X15X16 + 3:3X17 + X4X17 + X5X17 + X7X17 + X9X17 + X12X17 + X13X17 + 
3:14X17 + X15X17 + X16X17 + X17 + X4Xig + X6Xig + XiiXig + Xi3Xig + Xi6Xig + Xig + Xe^ig + X7Xig + XgXi9 + X9X19 + X12X19 + X14X19 + 

3:i5'''l9 + 3:17X19 + XigXig + X2X20 + 3:5X20 + 3:9X20 + 3:103:20 + 3:13X20 + 3:19X20. 

3:5X7 + X6X7 + X7Xg + Xg + X3X9 + X4X9 + X6X9 + X7X9 + X2X10 +X3X10 + xgXiQ + X9X1Q + X4X11 + X7X11 + xgxii + xii + X2X12 + X5X12 + 3:9X12 + 
3:113:12 +3:12 + 3:5X13 +3:7X13 + XgXi3 + X9X13 +X1QX13 +X11X13 +3:12X13 +X3X14 +X7X14 + X9X14 + X1QX14 + 3:12X14 + X3X15 +X4X15 +X5X15 + 
3:63:15 + 3:gXi5 + X9X15 + X11X15 + X13X15 + X14X15 + X4X16 + 3:5X16 + 3:0X16 + 3:7X10 + XgXi6 + 3:10 3:15 + XiiXi6 + 3:12 3: le + 3:13X15 + 3:14X10 + 

3:15=^^16 + '''23:17 + X4X17 + X5X17 + X7X17 + XgXi7 + X9X17 + X11X17 + 3:12X17 + X14X17 + X15X17 + X2Xig + XgXig + XgXig + XiQXig + Xi3Xig + 

3=18 + 3=4 3:19 + 3:53; 19 + X9X19+X13X19+X 14 X19 + X16X19 + 3; igx 19 + X2X20+ 3:3x20 + 3=5X20 +3:123:20 + =^14 3:20 +3=16 3:20 +3=173:20 +3=19X20 + 3=20' 

3=63:7 + 3:7 + X2Xg +X4Xg + X5Xg + X6X8 + Xg + X3X9 + X7X9 + X9 + X2X10 + 3:3x10 + X4X10 + X5X10 + xgxio + X9X10 + xio + X2X11 + X3X11 +xgxii + 
3=93:11 + 3=11 +X2X12+X6X12+X9X12 + X10X12 + 3:23:13 + X3X 13 + X6X 13 + X10X13 + X11X13 + X12X13+X2X14 + X6X14+ X7X14 + X9X14 + X 11X14 + 



3=93:17 + 3:103:17 + 3: 143:17 + 3:15X17 + X3Xig+X6Xig+xgXig+X9Xig+xioXig+xiiXig+xi6Xig+Xig+X2Xi9+X3Xi9+X4X 19 +X5X19+X6X19 + 

3:73:i9+3:i03:i9+3:i23:i9 + 3:i4 3:i9 + 3:i5Xi9 + xi6Xi9+xi9+X23:20 +3:43:20 + 3:53:20 +3:53:20 + 3:73:20 +3: 10 3:20 +3:13X20 +3:15X20 +3:16 3:20 +3:igX20 1 
W4 = X7X1 + X9X1 + X10X1 -I-X13X1 + X14X1 + X15X1 + X16X1 + X17X1 + xigxi + X19X1 + X203:i + xi + X2X3 -I-X3 + X2X4 +X2X5 + X3X5 + X5 + 

3=4x11 + X5X11 + X6X11 + X7X11 + X10X11 + X2X12 + X5X12 + X2X13 + X4X13 +X5Xi3 + X7Xi3 + xgXi3+X9Xi3+xiiXi3+xi2Xi3+X3Xi4 + X4Xi4 + 
3:53:i4 + 3:6'Ci4 + 3;gxi4 + xi3Xi4 + a;i4 + 3:23:i5+X3Xi5 + X5Xi5 + X6Xi5+xgxi5+X9Xi5 + xi03:i5+xiixi5+xi3Xi5+xi5 + X23:i6+3:5Xi6 + 3:63;i6 + 
3:3 3116 + 3:9x16 + X10X 16 +X11XI6 +x 12X16 +X14X16 + x 16 + X5X17 + X7Xi7 + xgx 17 + X10X 17 +x 12X17 + x 14x17 + x 15x17 + X16X17 + X17 + X2 xig + 
3:43:i8+3;53:i8 + 3;73:i8+3:83:i8 + 3;93:i8 + 3;ilxig+xi2Xig+xi4Xig + xi5Xig + xig + X5Xi9+X7Xi9 + xgxi9+xi03:i9 + xi2Xi9 + xi4Xi9 + xi5Xi9 + 
3: 16 3: 19 +3:2 3:20 + 3:33: 20 + 3:43:20 +3:6 3:20 + 3:73: 20 + 3:83:20 +3:9 3:20 + 3:103=20 + 3:133:20 + 3: 143: 20 +3: 15 3:20 +3: 16 3:20 + 3:173=20 + 3:183:20 +3: 19 3:20 +3=20' 
W5 = X4X2 + X6X2 + X11X2 + X13X2 + x\qX2 + X19X2 + X2 + X3 + X1X4 + X4 + X1X5 + X5X6 + X6 + X1X7 + X6X7 + X7 + X4Xg + X5Xg + X7Xg + 
3:1x9 + X5X9 + X7X9 + X8X9 + X9 + X5X10 + X6X10 + X7X10 + X9X10 + X4X11 + X5X11 + X6X11 + X7X11 + xiQXii + xii + X4X12 + X5X12 + X7X12 + 



^9^12 + 3=12 + ^5^13 + ^7^13 + ^10^13 + ^11^13 + ^13 + 3=43=14 + 3=5 3=14 + 3=73=14 + ^9^14 + ^1^15 + ^6^15 + ^8^15 + 

3= 12 3= 15 + ^ 13 3= 15 + 33 14 3= 15 + ^15+^13= 16 + 3=4 ^16 + ^5 3= 16 + 3= 16 +3=8 3= 16 + ^9^16+3;iia: 16 + 3=12^16 + 3= 14 3= 16 + 3= 15^1 

3=4^=18 + 3:5a;i8 + a=6^18 + 3=73=18 + 3=33=18 + 3=103=18 + 3;iia;i8 + 3:122=18 + 3=13x13 + 3=143=18 + 3=153^18 + 3=18 + 3=13=19 + 3=43=19 + 3:63^19 + xqxiq + 
3=123=19 + 3:i3a;i9 + a;i4a;i9 + 3:i8a;i9 + X4^X20 + 3=53:20 + 3:70:20 + 3:93:20 + 3=153:20 + 3:163=20 + 3=183^20 + 3=193=20 + 3:20' 

We = 1 + 3=1^2 + x^X2 + 3:33:2 + 3:11x2 + 3:12x2 + X13X2 + X14X2 + X17X2 + ^203^2 + 3=1^3 + X3 + ^1x4 + X3X4 + X4 + X4X5 + X5 + X1X7 + 
X3X7 + X4X7 + X5X7 + X6X7 + X7 + X3X3 + X4X3 + X7X8 + X3Xg + X4X9 + X5X9 + X4X10 + 3:0X10 + X9X10 + xixii + X3X11 + X4X11 + xgxn + 
3=83:il+3;ii+xixi2+X3Xi2 + 3:3Xi2 + 3:9Xi2 + 3:3Xi3+X4Xi3+X5Xi3 + XQXi3 + X7Xi3 + xio3:i3 + xi2 3=i3 + X3Xi4+X4Xi4+xioxi4+xi2Xi4 + 
3=133=14 + 3=14 + 3=1^15 + X3X15 + X4X15 + X5X15 +X6X15 + X3X15 + X13X15 + + X3Xig + X4Xig + xqxiq + X7X16 + xioxi6 + X12X16 + xi3Xie + 

3=143=16 + 3=15X16 + X1X17 + X3X17 + X5X17 + X6X17 + X7X17 + X8X17 + X9X17 + X15X17 + X16X17 + X17 + X3X13 + X7X13 + xgxig + xioxig + 
3=12 3=18 + 3:i5xi3+xi6 3=i8 + 3=i7xi3 + xixi9 + x3xi9+x4xi9 + x7xi9 + x3xi9 + xi4xi9+xi5xi9+xi6xi9+xi7xi9 + xi8xi9 + xix20 + 3:3x20 + 
3=73:20 + 3:3x20 + 3:9x20 + 3=103:20 + 3:11x20 + 3=14x20 + 3=15x20 + 3:17x20 + 3=183=20 + 3^20' 

Wy = X1X2 + X3X2 + X5X2 + X7X2 + X3X2 + X10X2 + X13X2 + X15X2 + X16X2 + xi8X2 + X203:2 + X3 + X3X5 + xixq + X5X6 + X1X7 + X4X7 + 
X5 X7 + X6X3 + X7X3 + X1 X9 + X4X9 + X7X9+X3X9+X9+X4X10 + X7X10 + X10 + 3:1x11+ X6Xii + X3Xii+xio3:ii+xii+X5Xi2 + 3:6x12 +.3=7x12 + 
3=9 3:i2+3=llxi2+xi2+X3Xi3+X4Xi3+X5Xi3+X6Xi3+X7Xi3 + xgxi3 + xioxi3 + xiixi3+xi2Xi3 + X4Xi4 + X6Xi4 + X7Xi4+xioxi4+xi4 + 
3=1X15 + X4X15 + X5X15 + X8X15 + X9X15 + X10X15 + X12X15 + X13X15 + X14X15 + xixig + X3X16 + X4X16 + X5X16 + X7X16 + xgxig + xgxig + 
3=113=16 + 3:13x16 + x 15x16 +X16 + X1X17 + X3X17 +X4X17 + X5X17 + X6X17 + X7X17 + xga;i7 + ^Q^^l? + ^10^^17 + 3:14^17 + ^15^17 + ^17 + ^3^18 + 
3=43:18 + X10X13 + X12X13 + X13X18 + X16X18 + xig + X1X19 + X3X19 + X4X19 + xgxig + xiQXig + xnxig + a;i3a;i9 + a;i4Xi9 + xigxig + xig + 
3=43=20 + 3:5x20 + 3:63=20 + 3=7x20 + 3=10x20 + 3=13x20 + 3=15x20 + 3=16X20 + 3=igX2o; 



9) Set Fi = (Wi^W^^Ws^W^^W^), ¥2,1 ^Wq, ¥3,1 = W7; 



10) Compute y = T-y' 



11) The public key is y, given by the system of 20 equations of 20 unknowns: 

yi = Pl{xi, X2,. . . ,X20), 
2/2 = -^2(0^1, X2,... ,X20), 

2/20 = P20{X1,X2, . • - ,2^20), 



where Pi are multivariate quadratic polynomials of 20 Boolean variables. 



In developed form, they look like these: 

yi — -Pl(x) = XI +X2 + X2X1 +X3X1 +X4X1 +X5X1 +X6X1 +X7X1 +xgxi +xio3;i +X3X4 + X4X5 + X5 +X4X6 +X5X6 + X6 +X7 + X2X3 +X3X3 +X4X8 + 
a'S'^S +3=73=8 + 3=8 + 3=23=9 + X3xg+X7xg+xgxg + xg + X2Xio +3=4x10 + X5X10 +3=63=10 +3=73=10 +3=93=10 +3=23=11 +X4Xii+X7Xii+xgxii+X9Xii+X2Xi2 + 
3'5'''12+3=7Xi2+X8Xi2+3;9Xi2 + xiixi2+X2Xi3+X4Xi3+X8Xi3+X9Xi3+xi03=i3+X2Xi4+X3Xi4+X9Xi4+xi03=i4+xiixi4+xi3Xi4+X2Xi5 + 
X4a;i5+x5xi5+x7xi5 + xgx 15+ XI IX 15 +X14X15 + X15+X4X16+X5X16 +3=6X16 +3=7x16 +3=gxi6+xioxi6 + xiixi6 +3=15x16 +3=3x17 + X4X17 + X6X17 + 
3'7'^17 + 3=83=17 + 3=123=17 + 3=16 3=l7+''^17 + 3=43:i8 + 3:6 3:i8+'3:73:i8 + xi2xi8 + xi3xi8 + xi5xi8 + xi6 3=i8 + 3=i8 + 3;2xig+x5xig+x6xig+x7xi9 + x8xi9 + 
a^ga^iQ +xiixig +X13X19 + x 14x19 +xi6xig + xi7xig+xi9 + X3 X20 + 3=5 X20 + 3=6 3:20 + 3=8 3=20 + 3: 9 3=20 + 133=20 + 3=15x20 + 3=16x20 + 3=17x20 + 3= igx20 , 

y2 = ^2(3:) = X2X1 + X3X1 + X4X1 + xgxi + xioxi + X12X1 + X17X1 + xigxi + X203;i + xi + X2 + X2X3 + X3 + X3X4 + X4 + X2X5 + X2X6 + 
3=5 '''e + 3=6 + 3=23=7 + X3X7 + X7 + X2xg +X3X8 +X4X8 + X7xg +X8 +X5X9 + X7X9 +X9 +X3X10 +X4X10 +x6xio + X7X10 +X4X11 + X5X11 +X6xii + 
3:7'^11 + 3=gxii + xgxii + xiQXii + X4X12 + X5X12 + X10X12 + X3X13 + X5X13 + X7X13 + X11X13 + X12X13 + X13 + X2X14 + X7X14 + X11X14 + 
3:133; 14 + X14 + X2X15 + X5X15 + X12X15 + X13X15 + X15 +X2Xi6 +X3X16 + X4X16 + X5X16 + X6Xi6 + xgxi6 + X12X16 + X13X16 + X14X16 +X3X17 + 
X4X1J + X6X17 + X7X17 + X9X17 + X2Xig + X4X18 + X7X18 + xgxig + xi2Xig + xi3Xig + X14X13 + X15X18 + xi7Xig + X4Xig + X6Xig + X7Xig + 
3'8'''19 + 3:iixig + X13X19 + xig + X2X20 + X3X20 +3=6X20 + 3=7x20 +X15X20 + 3=17x20 + 3=19x20, 

?^3 = ^3(3=) = 3:2x1 + X3X1 + X9X1 + X13X1 +X16X1 +X17X1 +X19X1 +X20X1 +X1 + X3 + X2X4 +X3X4 + X2X5 +X5 +X2X6 + X3X7 + X4X7 + X5X7 + 
X6X7 + X7 + X2'i'8 + 3=3 3:8 + ■'^33=9 + 3=43=9 + 3=53:9 +X6X9 +xg +X2X10 +X3X10 +X4X10 +X6X10 +xgxio +X10+X2X11+X4X11+X6X11+X2X12+X3X12 + 
^4^12 + 3;iia;i2 + X3X13 + X6X13 + X7X13 + xgxi3 +X9X13 +X5X14 +X6X14 + X7X14 +xgxi4 + x 12x14 + X13X14 +X2X15 +X4X15 + X5X15+X6X15 + 
a'll^is + x 12X15 + X13X15 + X15 + X3X16 +X4X16 +X5X16 + X6X16 + xgxi6 + xioxi6 + xi2xi6 + x 14x15 + xi6 +X4X17 + X5X17 + X6X17 + X7X17 + 
3:8'^17 +3=93=17 + X10X17 + X 12X17 + xi3xi7 + x4xig + xgxig + xgxig + xiQxig + xi2Xig + xisxig + xi4xig + xisxig + X17X 13 + xig + X3X19 + X4xig + 
3=7^19+3=133=19+3=173=19+3=3x20 + 3=4x20 +3=5x20+3=63=20+3=73=20 +3=33=20+3=93=20 +3=103=20 +3=123=20+3=133=20+3=143=20 +3=16 3=20 +3=17x20+3=133=20 ' 

y4 = ^4(3=) = X4X1 + X7X1 +xgxi + X10X1 + X11X1 + X12X1 + X13X1 + xigxi + X19X1 + X203=1 + xi + X2 +X2X5 + X4X5 +X5 + X2X6 + X3X6 + 
3:4a;6+X6+x3X7 + x6X7+x7 + x2xg+x4Xg-|-x5xg+x6Xg+x7xg+x3X9+x5X9+x7X9+x2Xio+x4Xio+x6xio + x7xio + x2xii+x4xii+x7xii + 
3=8^11 + 3=9x11 + X11 + X2X12 + X3X12 + X4X12 +xgxi2 +X9X12 +x 10x12 +X11X12 +X3X13 +X5X13 + X6X13 + X7X13 + X9X13 +X11X13 + X13 + 
3:3''^14 +3=43=14 +3=5x14 +X6X14 + X10X14 + X11X14 + X13X14 + X14 + X2X15 +X3X15 +X4X15 + X5X15 + X7X15 + X9X15 + X1QX15 + X13X15 + X2xi6 + 
3=3^^16 + '''43:16 + 3=6X16 + X9X16 + xiix 16 + X 12X16 + X15X16 + X2X17 + X3X17 + X4X17 + X7X17 + xgxi7 + x 19x17 + x 13x17 + x 14x17 + x 15x17 + 
3=17 + ^2 3=18 + '''3 3= 18 + 3=63=18 + X7xig + xgxi8 + X9xig + xioxig + xi2xig + xi4xig + xi5xig + X2X19 + X5X19 + X7X19 + X8X19 + X9X19 + X11X19 + 
3=143=19 + xi6Xig + xi7Xig + xigxig +X2X20 + 3=3x20 + 3=5x20 + 3=7x20 +X3X20 + 3=gx20 + 3=11X20 + 3=12 3=20 + 3=14 3=20 + 3:16 3=20 + 3;igx20 + 3:20 + 1- 

^5 = fsCx) = X2Xi+X4Xi+xgxi+xioxi+xi3Xi+xi7Xi + xigxi+xi+X2 + X2X3+X3+X2X4+X3X4+X2X5+X4X5+X4X6+X5X6+X2X7 + 
3=5X7 + X6X7 + X5Xg+X6Xg+X7Xg+xg + X2Xg+X3xg + X4xg + X5xg + X7X9 + xgxg + xg + X3Xio+X5Xio + xgxio+xgxio + xio + X4Xii+X5Xii+X6Xii + 
3=8^^11 +3=11 +X3X12 +X5X12 +xgxi2 +xgxi2 + x 12 + X2 x 13 + X4 x 13 + xg x 13 + X7 x 13 + X2 x 14 + X3 x 14 +X4X14 +X6X14 + X7X14 +xgxi4 +x 10x14 + 
3=23=15+X3Xi5+x5xi5+x6xi5+xiixi5+xi2Xi5+xi4xi5 + x2xi6+x3xi6+X5xi6+x6xi6+X7Xi6+xiixi6+xi2Xi6+xi5Xi6+X2Xi7+X3Xi7 + 
3=5'''17 + 3=6 3=17 + 3=8 3=17+3=103=17 + 3=113;i7+xi6xi7 + xi7 + x2xi3 +3=3Xig+X5xig + X6X13 + X7xig+xgxig + xgxig + xiixig+xi2xig + xi3xig + 
3=14 3=18 + 3=163:i8+3=33=19+3=53=19+3=73=19+3=83=19+3=12 3=19+xi3xig+xi6Xig+xigxig+xig+x6X20 + 3=iix20 + xi2X20 + 3=i3X20+3=l7X20+3=l83=20 + l' 

y6 = -^'6(3=) ^ 3:1x2 + X3X2 + X5X2 +X6X2 + X7X2 + X8X2 + X15X2 + X17X2 + X18X2 + X20 3=2 + X1X3 + X3 +X5 + xix6 +X3X6 +X4X6 + X1X7 + 
X4X7 + X5X7 + xixg + X3Xg + X7Xg +xg+X4xg +xgxg +X4XiQ+X6XiQ+xgxio+xio+xixii + X3Xii +xgxii + xioxii + xii + X1X12+X5X12 + 
3=7'''12 + 3;gxi2 + 3=11x12 + X1X13 +X3X13 +X4X13 +X6X13 +xgxi3 +3=9x13 + x 12x13 + X13 + X3X14 + X5X14 + X6X14 +xgxi4 + X10X14 + X11X14 + 
3=133=14 + '''14 + 3=3x15 + X7X15 + X3X15 + xgxi5 + X10X15 + X11X15 + X12X15 + x 14x15 + X7X16 + xgxig + 3;gxig + x 10 xig + X13X16 + xisxig + 
3=1^=17 +X4a;i7 + xgxi7 + X11X17 + xi7 + xixig +X4Xig + X5Xig + xiixig + xi4Xig + xi6Xig + X1X19 +X4X19 +X5X19 + xgxig + X7Xig + xgxig + 
3=103=19 + 3: 14 X19 + X15X19 + xig + X1X20 + 3=5x20 + xgX20 + 3=7X20 + X9X20 + '':i03=20 + ^113=20 + ^153=20 + ^163=20 + ^173=20 + ^183=20 + ^193=20 + 1> 

yj = Pj(x) = X4X3 + 0:5x3 + X6X3 + xi3a;3 + xi4a:3 + X 16 X3 + xigX3 + X203:3 + 3:3 + X4 + 0:10:5 + X2X5 + X4X5 + xixg + X2X6 + xg + X1X7 + X5X7 + 
3=1 xg + X7Xg + xixg + X2 3=9 + 3:4 X9 + X5a;g+xiXio+ 3:2x10 + X5X 10 +X6X 10 +3:gXiQ+xgXio+ 3:5x11 +X7xii+xgxii+a;gxii+xii+xixi2+3;2'''12 + 
3=43=12 + 3=gxi2 + xgxi2 + X11X12 + X1X13+X4X13 +X5X13 + X6X13 +X7X13 +X9X13 + X11X13 + X12X13 + X1X14 +X2X14 +X4X14 + X7Xi4+xgXi4 + 
3=9x14 + X13X 14 + x 14 +X4X15 + X7X15+X9X15+X 10X15 + x 14x15 +X4xig+xgx 16 + X7X 16 + xgx 16+ xgxig + x 13 xig + xi4xig+x 16 +X2X17 + X4X17 + 
3=53^17 + 3=7Xi7 + x 13x17 + X14X17 + X15X17 + xigxi7 + X17 + xixig + X5Xig + xgxig + 3;gxig + xi2Xig + xi5Xig + xig +X4Xig + X5Xig + X7Xig + 
3=83^19 + 3;9Xig + xi4Xig + X15X19 + xigxi9 + X4X20 + 3:5X20 +3=6X20 +3=73=20 + 3=9X20 + 3=11X20 + 3=133=20 + 3=14X20 + X16X20 +3=17X20 + 3:igX20i 

VS = ^8(3=) = X4X1 +X5X1 +X7X1 + xgxi + X14X1 + X15X1 + xigxi + xigxi + X203:i + xi +X2 + X2X3 + X3 + X2X4 +X4 + X3X5 +X4X5 + X5 + 
3=23=6 + 3:3X6 + X2X7 + X3X7 + X5X7 + X7 + X4Xg + X5Xg + xgxg +X2X9 + X5X9 + xg + X2X10 + 3:3x10 + 3:5x10 + 3:9x10 + 3:10 + X4X11 + X5X11 + xgXii + 
3:7x11 + xgXii+xgXii + xioXii+xii+X2Xi2 + X3Xi2+X5Xi2+3:7Xi2 + xgXi2+xgXi2 + xiiXi2+3:i2+3:5Xi3 + X7Xi3+xi23;i3 + X2Xi4 + X3X 14 + 
3:63:i4 + 3:9Xi4 + xio3:i4 + X2Xi5+X3Xi5+X5Xi5+X6Xi5+X7Xi5+xgXi5+X9Xi5+xi2Xi5+X3Xi6 + X4Xi6 + xgXig + xi3Xig+xi5Xig+X5Xi7 + 

3:9x19 + xiQXig + X12X19 + X15X19 + xi7Xi9 + xigxig + XgX20 + 3:7x20 + 3;gX20 + 3=103=20 + 3=11x20 + 3=12X20 + 3=14X20 + 3=15X20 + 3=19X20 + 3=20' 
yg = -^"9(3:) = X2X1 + X4X1 + XgXi + 3:11X1 + 3:13X1 + XigXi + X17X1 + XigXi + xi + X23:3 + X23:4 + X3X4 + X2X5 + X4X5 + XsXg + X5Xg + 
3:3 3=7 + 3:5x7 + X6X7 + X2Xg+X5Xg-|-xgX8 + xg+X2X9 + X5Xg + xgXg + xg + X4X 10 + 3:5X10 + 3:7X 10 + X9X 10 + 3=2X11 + X5Xii+X6Xii+xgXii + 
3:9X11 + xii + X2X12 + 3:5X12 + XQX12 + Xgxi2 + X11X12 + X12 + X3X13 + XQX12 + 3=9X13 + xio3:i3 + X13 + X4X14 + X6X14 + xio3:i4 + X2X15 + 
3:43=15 + xgxi5 + X7X15 + xgxi5 + X10X15 + X11X15 + X2Xig + X3X16 + X5X16 + xiQOJig + X12X16 + X4X17 + Xgxi7 + X9Xi7 + X10X17 + X11X17 + 
3=123:17 + 3:15x17 + xi7 + X4Xig + X7Xig + xgXig + xiixig + xisxig + xisxig + xigXig + xi7Xig + xig + X3Xi9 + X4Xi9 + xi2Xig + xigXig + 
3:173:19 + 3=3x20 + 3=4x20 + 3=5x20 + 3=6X20 + 3;gX20 + 3:gX20 + 3=103=20 + 3=11X20 + 3=13X20 + 3=14X20 + 3=15X20 + 3=16X20 + 3=20' 



yiO = -f'io(^) = a;ia:2 + ^4^2 + ^2 + ^6^2 + ^7^2 + ^8^2 + ^9 ==2 + ^10^2 + 3=113=2 + 3^12 3=2 + 3=153;2 + ^16^2 +^18^2 + ^2 
«3^5 +^4^5 + ^1^6 + ^5^6 + ^3^7 + ^5^7 + ^6^'7 + ^7 + 2=4^8 +'^6''^8 + ^8 + '^1^9 +^4^9 + ^7^9 +^3^ 

=^4^11+^5^11+^11+^5 ^12+^6^12 + ^7^12+^9^12 + 12+^1^13+^5^13 + ^7^13+^13 + ^4^ 14 + ^5^14 + ^7^14 + ^11^ 

^4 ^15 + ^5 ^15 +^6 ^15 + ^7^15+^11^ 15 + ^12 3= 15 + ^14 ^15+3=13: 16 + 2:4 ^16 + ^7 ^16+3= 10 ^16 + ^11^ 16 + 3= 12 3= 16 + 3= 13 ^16 + 3= 15 3=16 + 

^9 ^17 + 3=113=17 + 3=13 ^17 + ^14 3=17 + ^16^17 +^3 ^18 + ^4 ^18 +^7 ^18 + ^8 ^18 + ^10^ 18 + ^13^ 18 + ^15^ 18 + ^16 ^18 + ^17^ IS +^18 + ^1^19 +^3 

3:5 ^19 + ^6 3= 19 +3=7 ^19 + ^8 3= 19 +^9 ^19+3=113= 19 + ^12^19+3=173= 19 + 3= 19 + ^=33=20 + 3=6 3=20 + 3= 7 3=20 + 3=93:20 + 3^113=20 + 3=163^20 + 3^183=20 + 3=193:20, 

yil = -Pi 1(3:) = + x^X2 + X4X2 + a; 50:2 +3:60:2 + 3:ga:2 + xiiX2 +3:^2 3:2 +3:150:2 +3=170:2 + 3=193:2 + 3:33:4 + X4 + xix^ + X3X5 + X4X5 + 

3:5 + xiXQ + 3:33:6 + 3:53:6 + 3=6 + 3:43:7 + 3:53:7 + 0:7 + xix^ + 3:33:3 + 3:43:3 + XQX^ + xg + xiXQ + 3:43:9 + 0:53:9 + 3:73:9 + 3: 9 + ^1X10 + a;3Xio + 
3=7 ^10 + 3=8 ^10 + 3=10+3:1x11+ X3 3:11 + X4 3:11+ 3:5 X11+XSX11+X13: 12 +3=5 3: 12 + 3:6 3:12 + 3:9x12+3:103= 12 + 3:113: 12 + 3=ix 13 + X5X13 + X6 3:13 + 
3=8^13 + 3:9x13 + X10X13 + X11X13 + X12X13 + X13 + X4X14 + X5X14 + X7X14 + X11X14 + X12X14 + X1X15 + X5X15 + X9X15 + xiqxis + xnxis + 
3=12=1^15 + ^133=15 + 3:3x16 + X5X16 + 3363=16 + 3:3x16 + 3:iQXi6 + xiixi6 + 3:13x15 + xig + X1X17 + X3X17 + X6X17 + X7X17 + X8X17 + X9X17 + 
X 10X17 + X11X17 + X13X17 + X 14x17 + X16X17 + X17 + X3X18 + X5X1S + 3:9x13 + 3:iQXig + X13X1S + 3:14x^5 + X15X1J5 + xij^ + X5X19 + X7X19 + 
^11^19 + ^133=19 + 3=163^19 + ^19 + 3=33:20 + 3:4x20 + 3:5x20 + 3=7x20 + 3=9x20 + 3:11x20 + 3= 12 20 + ■3^13 3=20 + 3:153:20 + 3:153:20 + 3:20 ^ 

3^12 = ■F'l2(3^) = X3X2 +X11X2 +X13X2 +X14X2 + X16X2 + X19X2 + X203:2 +3:2 + 3:1x3 +X3 +X1X4 +X3X4 +X3X5 +X4X5 +X5 +X1X5 +X1X7 +X4X7 + 

X6X7+X7+XIX8 +X3XS +X5X8 +XIX9 +X3X9 +X4X9 +X5X9 +X5X9 +X7X9 +XSX9 +X6XIO +XSX1Q +X1X11 +X3X11 +X4X11 +X7X11 +X10X11 +X11 + 

»1^12 + 3=43:i2+3=53:i2 + 3=6^12+3=73:i2 + 3=8^12 + 3=9^12+3:i03:i2+3=12 + 3=13:i3 + X5Xi3+xioxi3 + xi2Xi3 + X3Xi4 + X7Xi4 + X9Xi4 + xi2Xi4 + xi3Xi4 + 
3^1^15 +3=33=15 +3:43:15+ 3:53:15 +X9X15+X10X15+X11X15 + X12X15+X 14x15 +Xixi5+x3xi6+x5xi5+xi0'i= 16 +■'^123=16 + 3=143:15 +3:1 3:17 + X3X17 + 
^5^17 + ^73=17 + 3=33:17 + 3:11x17 + xi3Xi7 + xi4Xi7 + xi6Xi7 + X3Xi8+X5Xi8 + X9Xi8+xi5Xi8 + xi7Xis+xixig+X3Xi9 + X4Xig+X5Xig+X6Xi9 + 
3^7^19+3=93:19 +xiQXi9+xiixi9 + xi3Xi9 + xi4Xi9 + xi8Xi9 + xiX20 + 3:s3=20 +3^103=20 +3:113=20 + 3=13^20 + 3=143:20 + 3:153:20 + 3:173:20 + 3:183:20 +3:20 + 1^ 

?^13 ^ -F'l3('3:) = '3:23:1 + X4X1 + X5X1 + X5X1 + X7X1 + xgxi + X15X1 + X17X1 + X19X1 + X203:i + xi + X2X3 + X3 + X3X4 + X3X5 + X4X5 + 
0:3X6 + X4X5 + X5X6 + X3X7 + X6X7 + X4XS + xg + X3X9 + X4X9 + X5X9 + X6X9 + X7X9 + X9 + X2X1Q + X3X10 +3:5x10 +3:3x10 +3:9x10 + X2X11 + 
^3^11 +3:4x11 + X5X11 +X8X11 +X9X11 + x 10x11 + X11 +X2X12 + X4X12 + 3:5x12 + X6X12 +3:3x12 + 3:103:12 + 3:23=13 + X6X13 + X7X13 +X8X13 + 
a'lO^'lS + 3=11X13 + X3X14 + X4X14 + X5X14 + X7X14 + X8X14 + X9X14 + X10X14 + X11X14 + xi2^1A + 3=133:14 + 3:14 + X3X15 + X4X15 + X7X15 + 
» 10 =^15 + ^11^15 + 3:133=15 + 3=143:15 + 3:3x16 + X4X15 +X5X15 + X10X16 + X12X15 + x 13x15 + x 14x15 + X15X15 + X2X17 + X3X17 + X6X17 + XSX17 + 
X9X17 + X1QX17 + X12X17 + X6X1S +3:3x13 +X9X1S + 3:193:13 +xiixi8 + x 12 xig + x 14x13 + X15X13 + xi5Xi3 + X4Xig + X9Xi9 + xioxi9+xi2Xi9 + 
3;i33;i9 + X15X19 + X19 + X2X20 + 3:3x20 + 3:53:20 + 3:5x20 + ■i:il'3:20 + 3=15x20 + 1, 

3^14 ^ -^14(3=) = X1X2 +X5X2 +X3X2 +X10X2 +X11 X2 +X12X2 +X16X2 +X19X2 +X203=2 +3=2 +3=1 X3 +X1 X4 +X1 X5 +X3X5 +X4X5 + X5 +X1 X6 +X5X6 + 
3;6+^4 3=7 + x7 + xix8+x4X8 + x7X3+x3+xix9+x3X9 + x4X9+x5xg + x7X9+x8X9 + x9 + xixio + x3xio+x4xio + x7xio+x8xio+x9xio+xixii + 
0:4x11 +0:7x11 +X3xii+x9xii+xixi2+x5xi2+x5xi2+x3xi2 + x9xi2+xi0xi2+xiixi2 + xi2+xixi3 + x5xi3+x6xi3+x8xi3+xiixi3+xi2 3;i3 + 
XIX14+X3X14+X4X14+X5X14 + X6X14 + X7X14 + X10X14+X11X14 + X13X14 + XIX15+X3X15+X4X15 + X5X15+X7X15+X8X15+X11X15 + X12X15 + 
3=13;i6 + X3Xi6+X5Xi5+X8Xi5+X9Xi6 + xiQXi6+xiixi6 + 3:i23:i6+xi4Xi6 + xi5Xi5+xi6 + xixi7 + X3Xi7 + X5Xi7 + X7Xi7 + X8Xi7 + xiQXi7 + 
Xiixi7 + xi3xi7 + xi5xi7 + xixi8 + x5xi8 + x6xi8+x8xi8+3=i03:is+xi4xi8+xi5xi8+xi5xi8 + xi7xis+xixig + x3xi9+x4xi9 + x5xi9 + x5xi9 + 

3=8^19 +3=103: 19 +3:11 3=19 + X12X19 + X 13 X19 + X 14x19 +X15X19 + X 1x20 + 3:3x20 + 3:5x20 +3:5x20 + 3: 12 3=20 + 3: 13 3:20 + 3:15 3:20 + 3=173:20 + 3=183:20 + 3=19^20' 
f 15 = -^15(3:) = 3:4x2 + X3X2 + X9X2 + X12X2 + X14X2 + X15X2 + xi8X2 + X2 + X3 + X3X4 + X4 + X4X5 + X1X5 + X5X5 + X1X7 + X5X7 + X1X3 + 
X5X3 + X7X8 + X8 + X1X9 + X3X9 + X4X9 + X5X9 + X7X9 + X8xg + xg + xixio + X5X10 + X5X1Q + xgxio + xio + X3X11 + X7X11 + xgxii + xiQXii + 
X3X12 + X4X12 + 3:5x12 + .3:5x12 + X7X12 + 3:3x12 + 3:11x12 + 3:5x13 + X6X13 + X10X13 + X12X13 + X13 + xsxi4 + xgxi4 + X10X14 + X11X14 + 
3=123=14 + ^133=14 + 3:33:15 + x,^;ri5 + X5X-L5 + X6X15 + X3X15 + X1QX15 + xixig + X6Xi6 + xqx-^q + xiqxiq + X12X16 + X14X16 + 3:15X16 + X3X17 + 

X4X17 + X5X17 + X7X17 + .';s.';i7 + 3:11X17 + X-L2 3:17 + X 14X17 + XiXig + X7X18 +3:9X18 + X13X18 + X17X18 +0:3X19 + XgXig + XgX-iQ + Xn^lQ + 

3=123=19 + ^153=19 + 3=17^19 + '^19 + 3=3^20 + ^43:20 + ^11^20 + 3:133:20 + ^163=20 + 3=17^20 + ^183=20 + ^20' 

fl6 -f'l6(^) = 3:23:i+X4Xi+X5Xi+X5Xi+X7Xi+X3Xi+X9Xi+xiQXi+xi2Xi+xi3Xi+xi4Xi+xi6Xi+xi8Xi+X203:i+xi+X2 + X2X3 + X3 + 
X2X4 + X3X4 + X4X5 + X5 + X2X5+X4X5+X3X7 + X5X7 + X5X7 + X7 + X5X8 + X7X3 + X2X9+X2X10 + X3X1Q + X4X10 + X5X1Q + X5X10 + X10 + X4X11+X7X11 + 
3=9^11+3=10^11 + ^11 + ^33=12 + 3=53:12+3=33=12 +X9X12 + X12 + X2X13 + X3X13 + X4X13 + X6X13 + X11X13 + X4X14 + X6X14 + X9X14 + X10X14 + X11X14 + 
3=123=14 + 3=13 3=14 + 3=14 + 3=23=15+3=3 3=1 5 + 3=53=l5+3=63=15+3=93=i5+xi2xi5 + xi3xi5 + xi5+x3xi6 + x7xi6 + x8xi6 + xgxi6 + xi5xi6+x2Xi7 + x4xi7 + 
3=9^17 + 3=103:i7 + 3:il3:i7 + xi3Xi7 + xi4Xi7 + X2Xi3+X3Xi8 + X7Xi8 + X8Xi8+xioxi8 + xi4Xi8 + xi8 + X3Xi9 + X5Xi9 + X7Xig+X8Xi9+X9Xi9 + 
3=10 3=19 + 3=113=19 + X12X 19 + xi5xig + x 16 xig + x 18 X 19 + xig + x3x 20 + 3=3x20 + 3=gx20 + 3= 10 3=20 + ^113=20 + ^12 3=20 + 3:13x20 + 3=163=20 +3=13x20 + 1, 

yi7 — -Pi7(x) = X2X1 + X3X1 +X5X1 + X6X1 +X9X1 + xioxi +X11X1 + X12X1 +X13X1 + X14X1 + X15X1 + xigxi + xi +X2 +X2X4 + X3X4 + 
3=4 + 3=2 3=5 +X3X5 + X4X5 + X3X5 + X5X6 + X4X7 + X3X8 + X5X3 + X6X3 + X7X3 + X2X9 + X3X9 + X4xg + X5X9 + X7X9 + X8X9 + X9 + X3X10 + 3:4x10 + 
3:7^10 +3:8Xio + xio + X2Xii+X3Xii+X5Xii+X6Xii+X7Xii+X9Xii+xii+X2Xi2+X5Xi2 + X3Xi2 + X9Xi2 + xiixi2 + xi2+X3Xi3+X7Xi3 + 
3=8^13 + 3=93=13 + X10X13 + X11X13 + X12X13 + X2X14 + X3X14 + X4X14 + X5X14 +X6X14 +X8X14 + X9X14 + X14 +X4X15 +X5X15 + X7X15 + xgxi5 + 
3=103=15 + ^11^15 + 3=123=15 + 3:13x15 + X15 + X3X15 + X5X15 + X3X15 + X10X16 + 3;iixi6 + X15X16 + X3X17 + X5X17 + X6X17 + X8X17 + X9X17 + 
3=12 3=17 + 3:i33:i7 + 3:i5Xi7 + xi6Xi7 + X2Xi3+X5Xi3+X7Xi3+xiixi3+xi2Xi8+xi3Xi8 + xi6Xi3+xi7Xi8+xi8+X2Xi9 + X4Xi9+X6Xi9 + 
3=7^19 + 3:3x19 + X9X19 + xi3Xig + X15X19 + X15X19 + X17X19 + xi3Xig + X4X20 + 3:5x20 + 3:3x20 + 3:9x20 + 3:i03:20 + 3:123:20 + 3:143=20: 

yi8 = -^18(3:) = 3:1x2 + X3X2 + X4X2 + X7X2 + X10X2 + X12X2 + X13X2 + X14X2 + X15X2 + 3:15x2 + X13X2 + 3:19x2 + X1X4 + X4 + :(;iX5 + 
X3X5 + X3X5 + X4X6 + X5X6 + X3X3 + X5X3 + X5X3 + X1X9 + X3X9 + X4X9 + X5X9 + X5X9 + xg + xixio + 3:5x10 + X7X10 + 3:9x10 + 3:10 +3:3x11 + 
3=43:11 +X5X11 +X7X11 + x 10x11 + X11 +X3X12 +X4X12 + X5X12 + X7X12 +:5=8'':i2 +.'=9'':i2 + 3=11X12 +3:3x13 + x 10 3:13 + 3:11x13 + X13 + X1X14 + 
3=3x14 + X5X14 + X6X14 + X7X14 + X8X14 + X11X14 + X12X14 + X14 + X1X15 + X3X15 + X5:(;i5 + X7X15 + X12X15 + X14X15 + X1X15 + X4X16 + xgxie + 
3=113=15 + 3:14x16 + X15 + X1X17 + X5X17 + X6X17 + X10X17 + X15X17 + X1X13 + X3X13 + X5X13 + X5X13 + X7X13 + X3X13 + xgxi3 + xigxis + 
3=133=18 + 3=163:18 + '3:18 + '3:13:19 + 3:3x19 + X7Xig + X3Xig + X10X19 + xnxig + xi23:i9 + 3:13x19 + X14X19 + xi5Xig + X13X19 + X19 + X4X20 + 
3:7^20 + 3:9x20 + 3:10:5=20 + 3=11X20 + 3:13x20 + 3=15x20 + 3:15x20 + 3=19x20 + 3:20 + 1' 

VIQ = -Pig(x) = X3Xi+X4Xi+X5Xi+X5Xi+X7Xi+xgxi+xiixi+xi5Xi+xi5Xi+xi7Xi+xi3Xi+xi9Xi+X20 3:i+xi+X3 + X3X4 + X4X5 + 
3=5 + 3=23:5 +X3X6 + X4X5 +X5X6 + X6 + X6X7 + X7 + X3X3 + X4X3 +X6X3 + X7X3 +X9 +X2X10 + X4X10 + X5X10 +X5X10 + xio + X2X11 + X4X11 +X5X11 + 
3=8^11 +3:93:11 +3:103:11 + X2X12 + X5X12 + X7X12 +3:9x12 +3:103=12 +3:12 +3:7x13 + xgxi3 + X 12X13 + X3X14 + X4X14 + X5X14 + X3X14 + x 10x14 + 
3=12 3=14 + 3:133=14 +3:3^3: 15 +3:5 3:15 +3:3 3:15 +3:93:15 + 3:123:15 + 3:15+3:23:15 + 3:33:15 + 3:43:16 + X3Xi5 + xgxi5+xioxi6+xi3Xi5+xi5Xi6+X2Xi7 + 
3:33:17 + 3:4x17 + X7X17 + xio.3:i7 + 3:11x17 + X15X17 + X3X13 + X4X18 + X6X18 + X7X18 + X12X18 + 3:13x13 + X15X18 + X16X18 + X3X19 + X4X19 + 
3=63:19 + 3:9x19 + X11X19 + X13X19 + X15X19 + X17X19 + X13X19 + X5X20 + 3=53:20 + 3:73=20 + 3:93=20 + 3:133=20 + 3:14x20 + 3:13x20 + 3:19x20 + 3:20* 

1/20 = -F'20('3:) = 3:3x1 + X4X1 + X5X1 + xgxi + X3X1 + xgxi + X13X1 + X15X1 + X203:i + xi + X3 + X3X4 + X2X5 + X5 + X3X6 + X4X6 + X5X6 + 
X2X7 + X3X7 + X6X7 + X7 + X4X3 + X3 + X2xg + X3X9 + xg + X2X10 + 3:3x10 + :'=6:':i0 + 3:7^5:10 + :':S3:i0 + 3:iO + 3:3x11 + X5X11 + xgxn + X2X12 + X4X12 + 
X5X12 + X6X12 +X7X12 +xgxi2 + 3:2x13 + X3X13 + X4X13 +X7X13 +:';io.'-13 + 3:113:13 +x 12X13 +:(;23:i4 + 3:3x14 + X4X14 +3;5Xi4 +X10X14 + X11X14 + 
3:i2 3:i4 + 3:i3xi4 + x5xi5+x8xi5+x9xi5+xi2xi5 + xi3xi5+xi5+x2xi6+x8xi6 + xgxi5+xiixi6+xi2xi6 + xi3xi6+xi4xi6 + xi5xi6 + 
3:93:i7 + 3:il3:i7 + xi4Xi7 + xi5Xi7 + X3Xi8+X7Xi8 + X9Xi8+xiixi8+xi63=i8+3;i7Xi8+xi8+a:4Xi9+X5Xi9+X6a=i9+X7Xi9+X8a:i9+X9Xi9 + 
3'll3;i9+xi23;i9+xi3Xi9 + a;i7a:;i9+X3X20 + '''63=20 + ^73=20 + ^83=20 + ^103=20 + ^113=20 + ^12 '''20 + '''14^20 + +3=172:20 + 3= 19 2:20 + 3:20 + 1- 



